Loading...

XML

Word

Printable

Type: Change Request
Resolution: Fixed
Priority: High
Fix Version/s: 6.2.0alpha1, 6.2 (plan)
Affects Version/s: 6.0.0beta1
Component/s: API (A), Server (S)
Labels:

Sprint:
Sprint 84 (Jan 2022), Sprint 85 (Feb 2022)
Story Points:
0.25

Zabbix front-end still allows using md5 for verifying passwords (CUser.php):

    private static function verifyPassword($password, array $db_user) {                                                                                         
        if (strlen($db_user['passwd']) > ZBX_MD5_SIZE) {                                                                                                        
            return password_verify($password, $db_user['passwd']);                                                                                              
        }                                                                                                                                                       
                                                                                                                                                                
        if (hash_equals($db_user['passwd'], md5($password))) {

Apparently it was intentional to keep it for backwards compatibility (check ZBXNEXT-1898).
However, to me this functionality looks more like a vulnerability.

Assignee:: Martins Krisjanis (Inactive)

Reporter:: Artjoms Rimdjonoks

Team:: Team B

Votes:: 0 Vote for this issue

Watchers:: 14 Start watching this issue

Created:: 2021 Dec 27 23:34

Updated:: 2024 Apr 10 16:15

Resolved:: 2022 Mar 07 20:39

Details

Description

Attachments

Activity

People

Dates