[ZBX-15146] Information disclosure vulnerability when using a ipv6 address to login Created: 2018 Nov 08 Updated: 2024 Apr 10 Resolved: 2018 Dec 13 |
|
Status: | Closed |
Project: | ZABBIX BUGS AND ISSUES |
Component/s: | API (A) |
Affects Version/s: | 4.0.1 |
Fix Version/s: | 3.0.25rc1, 4.0.3rc1, 4.2.0alpha2, 4.2 (plan) |
Type: | Problem report | Priority: | Major |
Reporter: | Adrian Kirchner | Assignee: | Miks Kronkalns |
Resolution: | Fixed | Votes: | 0 |
Labels: | frontend | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified |
Attachments: | screenshot.png |
Team: | Team B |
Sprint: | Sprint 46, Nov 2018, Sprint 47, Dec 2018 |
Story Points: | 0.5 |
Description |
Steps to reproduce:
Result: This in fact an information disclosure vulnerability, since you can search for existing user accounts that way. I asked for an alternative way to submit this issue, but didn't get an answer for about two weeks. |
Comments |
Comment by Edgars Melveris [ 2018 Nov 09 ] |
Hello Adrian! Thanks for reporting this issue, confirmed. |
Comment by Miks Kronkalns [ 2018 Nov 14 ] |
Fixed in development branches:
|
Comment by Miks Kronkalns [ 2018 Nov 28 ] |
Fixed in:
|
Comment by richlv [ 2018 Nov 29 ] |
Thank you for the revision information. It looks like the same solution was chosen for all branches, for example trunk: - 'attempt_ip' => $db_user['userip'] + 'attempt_ip' => substr($db_user['userip'], 0, 39) a) Wouldn't trunk need DB schema change so that the failed login IP can be recorded fully? |
Comment by Miks Kronkalns [ 2018 Nov 29 ] |
Thank you richlv for your suggestion. We decided to store only 39 characters of IP address for all supported versions and trunk, so, no need to make changes in DB schema. And yes, we will make appropriate record in known issues page. Thank you! |