Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-6721

HTML code of "authentication.php" contains a ldap_bind_password in clear text if LDAP auth is enabled

XMLWordPrintable

      This security problem is actual only for zabbix-super-administrator user accounts.

      When this is considered as a problem:
      for example I have several zabbix-super-admins but they should not know the LDAP bind pass.

      Goal:
      any zabbix-super-admins which doesn't own the password - should not be able to know it (we suppose that they don't have direct shell access to Apache/DB server)

      Possible solution:
      For example you typed new "bind password" and pressed the Save button. The new password will be send to Apache and if it's correct it will be stored in the database (as it is currently).
      Reloaded page will not contain any value in the "bind password" box and source HTML code.

      I'm not sure, but maybe it would worth to show some grayed default text in the box, like "Password stored into DB, type new password if required." if the password is not empty in the DB.
      This default text will help a bit after a user has enabled the LDAP auth.
      If locate a mouse cursor into the box then the default text will disappear (we have already such approach in some places in zabbix frontend).

      Somehow related issue ZBX-6410

            Unassigned Unassigned
            zalex_ua Oleksii Zagorskyi
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: