ZABBIX BUGS AND ISSUES
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-6097

It's possible to override LDAP configuration parameters via the API

    Details

    • Type: Incident report Incident report
    • Status: Closed
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:

      Description

      The user.login method can accept a 'cnf' parameter containing the configuration parameters for LDAP authentication. These parameters will override the configuration in the database. This can be used to authenticate using a completely different LDAP application and is a major security issue.

      As a proof of concept, Oleksiy configured Zabbix to use LDAP, then changed the configuration in the database so that authentication wouldn't work. After that he was able to log in by passing correct parameters when calling user.login.

      The authentication request looks something like this:

      {
      "jsonrpc": "2.0",
      "method": "user.login",
      "params": {
      "user": "Admin",
      "password": "zabbix",
      "cnf":

      { "host": "", "port": "", "base_dn": "", "bind_dn": "", "bind_password": "", "search_attribute": "" }

      },
      "id": 17,
      "auth": "161c074862ae52cc87e16e3584f2ac42"
      }

      This seems to affect all versions starting from 1.8.1.

      1. ldap_1-8-2.diff
        2 kB
        Pavels Jelisejevs
      2. ldap_2-0-1.diff
        2 kB
        Pavels Jelisejevs
      3. ldap_2-1-0.diff
        5 kB
        Pavels Jelisejevs

        Activity

        Transition Time In Source Status Execution Times Last Executer Last Execution Date
        Open Open In Progress In Progress
        13d 46m 1 Pavels Jelisejevs (Inactive) 2013 Jan 02 11:28
        In Progress In Progress Resolved Resolved
        5h 43m 1 Pavels Jelisejevs (Inactive) 2013 Jan 02 17:11
        Resolved Resolved Reopened Reopened
        1d 18h 12m 1 Toms 2013 Jan 04 11:24
        Reopened Reopened Resolved Resolved
        21m 39s 1 Pavels Jelisejevs (Inactive) 2013 Jan 04 11:45
        Resolved Resolved Closed Closed
        28d 22m 1 Pavels Jelisejevs (Inactive) 2013 Feb 01 12:08

          People

          • Assignee:
            Unassigned
            Reporter:
            Pavels Jelisejevs (Inactive)
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: