-
Defect (Security)
-
Resolution: Fixed
-
Major
-
2.0.6
This security problem is actual only for zabbix-super-administrator user accounts.
When this is considered as a problem:
for example I have several zabbix-super-admins but they should not know the LDAP bind pass.
Goal:
any zabbix-super-admins which doesn't own the password - should not be able to know it (we suppose that they don't have direct shell access to Apache/DB server)
Possible solution:
For example you typed new "bind password" and pressed the Save button. The new password will be send to Apache and if it's correct it will be stored in the database (as it is currently).
Reloaded page will not contain any value in the "bind password" box and source HTML code.
I'm not sure, but maybe it would worth to show some grayed default text in the box, like "Password stored into DB, type new password if required." if the password is not empty in the DB.
This default text will help a bit after a user has enabled the LDAP auth.
If locate a mouse cursor into the box then the default text will disappear (we have already such approach in some places in zabbix frontend).
Somehow related issue ZBX-6410
- is duplicated by
-
ZBX-7598 LDAP bind password in HTML source code
- Closed