[ZBX-11630] vmware collector fail to authenticate when password contains XML entities Created: 2016 Dec 21  Updated: 2017 Dec 17  Resolved: 2016 Dec 30

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Proxy (P), Server (S)
Affects Version/s: 3.0.6
Fix Version/s: 3.0.8rc1, 3.2.4rc1, 3.4.0alpha1

Type: Incident report Priority: Minor
Reporter: Jerome Demeyer Assignee: Unassigned
Resolution: Fixed Votes: 1
Labels: curl, lld, vmware, xml
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

RHEL 7.2 / Zabbix 3.0.6 / vCenter 5.5.0

Issue Links:
Duplicate
is duplicated by ZBX-9787 VMware credentials are not escaped du... Closed

 Description   

Hello,

I tried to add a second VMware vCenter host and it did not worked.
The login/password is working with browser and powershell.

Thanks to command zabbix_server -R log_level_increase="vmware collector", we can see that zabbix cant log in :

Debug log Level 4 : vmware_service_authenticate():FAIL.

Debug log Level 5 : <soapenv:Fault><faultcode>ServerFaultCode</faultcode><faultstring>
Error returned by expat parser: not well-formed (invalid token)

When investigate with NetCat tool, I intercept the SOAP request issued by Zabbix VMware collector, and it shows that XML entities are not managed. I paste only the essential, you will understand :

<ns0:password>e><ample</ns0:password>

As a temporary workaround, I changed VMware password and replace XML entities ( " ' & < > ) with any other special character ( # ~ [ ] _ ... )

Sincerly yours

 Comments   
Comment by Glebs Ivanovskis (Inactive) [ 2016 Dec 21 ]

As I understand, this boils down to the proper escaping of service->password in vmware_service_authenticate().

There are 5 predefined entities in libxml2 allowing you to escape characters with predefined meaning in some parts of the xml document content: &lt; for the character '<', &gt; for the character '>', &apos; for the character ''', &quot; for the character '"', and &amp; for the character '&'.


Perhaps we need to escape more strings we write to XML, not just passwords.

More info on the topic.

Comment by Andris Zeila [ 2016 Dec 21 ]

The development branch svn://svn.zabbix.com/branches/dev/ZBXNEXT-2033_303 has xml_escape_dyn() (in src/libs/zbxmedia/remedy.c) function which is used to send data to Remedy service. It can be taken from there.

Comment by Sergejs Paskevics [ 2016 Dec 22 ]

Fixed in development branch svn://svn.zabbix.com/branches/dev/ZBX-11630

Comment by Aleksandrs Saveljevs [ 2016 Dec 28 ]

I was wondering whether libxml2 has a function to escape HTML entities. According to http://stackoverflow.com/questions/10062780/preserving-html-entities-with-libxml , there is UTF8ToHtml() function, but it does not escape < and >. There is also htmlEncodeEntities(), but there is a problem using it. So it seems we can go with our own solution.

Comment by Aleksandrs Saveljevs [ 2016 Dec 28 ]

(1) There is no need to initialize the majority of the variables introduced to NULL.

asaveljevs RESOLVED in r64756 and r64760.

s.paskevics Looks good, CLOSED.

Comment by Sergejs Paskevics [ 2016 Dec 28 ]

Fixed in :

  • 3.0.8rc1 r64763,
  • 3.2.4rc1 r64765,
  • pre3.3.0 (trunk) r64766.
Generated at Fri Apr 26 05:17:21 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.