[#ZBX-3735] password can be sent in http GET

[ZBX-3735] password can be sent in http GET Created: 2011 Apr 18 Updated: 2020 Jul 16 Resolved: 2012 Feb 26
Status:	Closed
Project:	ZABBIX BUGS AND ISSUES
Component/s:	Frontend (F)
Affects Version/s:	1.9.3 (alpha)
Fix Version/s:	2.0.0rc1

Type:

Defect (Security)

Priority:

Major

Reporter:

richlv

Assignee:

Unassigned

Resolution:

Fixed

Votes:

Labels:

security

Remaining Estimate:

Not Specified

Time Spent:

Not Specified

Original Estimate:

Not Specified

Attachments:

general.login.php.patch

Description

i haven't figured out exact steps to reproduce this, but every now and then i can get password sent as http GET variable, which doesn't seem to be too secure.

an example url :

index.php?request=&name=Admin&password=zabbix&autologin=1&enter=Sign+in

Comments

Comment by Joseph Bueno [ 2012 Feb 17 ]

Problem still present in 1.9.9
How to reproduce:

In login page fill Username and Password fields and click Sign in.

In Apache access log:
GET /zabbix/index.php?request=&name=XXXXXX&password=XXXXX&enter=Sign+in

In 1.8 versions, Zabbix correctly used POST instead of GET.

Comment by Joseph Bueno [ 2012 Feb 17 ]

I have attached a patch that sets form login method to POST.
It seems to fix this problem.

Comment by Alexei Vladishev [ 2012 Feb 26 ]

Thanks for the patch, great work.

Fixed in pre-1.9.10, revision 25607.

Generated at Thu Apr 25 15:40:58 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.

[ZBX-3735] password can be sent in http GET Created: 2011 Apr 18 Updated: 2020 Jul 16 Resolved: 2012 Feb 26