Uploaded image for project: 'ZABBIX FEATURE REQUESTS'
  1. ZABBIX FEATURE REQUESTS
  2. ZBXNEXT-7397

Insecure md5 is used for verifying passwords

    XMLWordPrintable

Details

    • Team B
    • Sprint 84 (Jan 2022), Sprint 85 (Feb 2022)
    • 0.25

    Description

      Zabbix front-end still allows using md5 for verifying passwords (CUser.php):

          private static function verifyPassword($password, array $db_user) {                                                                                         
              if (strlen($db_user['passwd']) > ZBX_MD5_SIZE) {                                                                                                        
                  return password_verify($password, $db_user['passwd']);                                                                                              
              }                                                                                                                                                       
                                                                                                                                                                      
              if (hash_equals($db_user['passwd'], md5($password))) {  
      

      Apparently it was intentional to keep it for backwards compatibility (check ZBXNEXT-1898).
      However, to me this functionality looks more like a vulnerability.

      Attachments

        Activity

          People

            mkrisjanis Martins Krisjanis (Inactive)
            arimdjonoks Artjoms Rimdjonoks
            Votes:
            0 Vote for this issue
            Watchers:
            15 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: