[#ZBX-10404] password in clear text in HTML of media type settings

[ZBX-10404] password in clear text in HTML of media type settings Created: 2016 Feb 18 Updated: 2024 Apr 10 Resolved: 2019 Apr 09
Status:	Closed
Project:	ZABBIX BUGS AND ISSUES
Component/s:	Frontend (F)
Affects Version/s:	3.0.0
Fix Version/s:	3.0.27rc1, 4.0.7rc1, 4.2.1rc1, 4.4.0alpha1, 4.4 (plan)

Type:

Defect (Security)

Priority:

Major

Reporter:

Oleksii Zagorskyi

Assignee:

Gregory Chalenko

Resolution:

Fixed

Votes:

Labels:

mediatypes, password, security

Remaining Estimate:

Not Specified

Time Spent:

Not Specified

Original Estimate:

Not Specified

Team:

Team D

Team:

Team D

Sprint:

Sprint 49 (Feb 2019), Sprint 50 (Mar 2019), Sprint 51 (Apr 2019)

Story Points:

0.5

Description

In 3.0 we can set password in media type settings, but it's included as clear text to HTML when we open the media type settings, which is very insecure.

We had similar case in the past in ~~ZBX-6721~~ (for ldap_bind password) and we fixed in a way that stored password is not returned to browser, user only may set it again by clicking "Change password" button, which is displayed if password is not set yet.

Comments

Comment by Gregory Chalenko [ 2019 Feb 19 ]

RESOLVED in development branch svn://svn.zabbix.com/branches/dev/ZBX-10404.

Comment by Gregory Chalenko [ 2019 Apr 09 ]

Fixed in:

3.0.27rc1 r92303
4.0.7rc1 r92317
4.2.1rc1 r92319
4.4.0alpha1 r92322

Generated at Fri Apr 19 05:04:40 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.

[ZBX-10404] password in clear text in HTML of media type settings Created: 2016 Feb 18 Updated: 2024 Apr 10 Resolved: 2019 Apr 09