[ZBX-3735] password can be sent in http GET Created: 2011 Apr 18 Updated: 2020 Jul 16 Resolved: 2012 Feb 26 |
|
Status: | Closed |
Project: | ZABBIX BUGS AND ISSUES |
Component/s: | Frontend (F) |
Affects Version/s: | 1.9.3 (alpha) |
Fix Version/s: | 2.0.0rc1 |
Type: | Defect (Security) | Priority: | Major |
Reporter: | richlv | Assignee: | Unassigned |
Resolution: | Fixed | Votes: | 1 |
Labels: | security | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified |
Attachments: | general.login.php.patch |
Description |
i haven't figured out exact steps to reproduce this, but every now and then i can get password sent as http GET variable, which doesn't seem to be too secure. an example url : index.php?request=&name=Admin&password=zabbix&autologin=1&enter=Sign+in |
Comments |
Comment by Joseph Bueno [ 2012 Feb 17 ] |
Problem still present in 1.9.9
In Apache access log: In 1.8 versions, Zabbix correctly used POST instead of GET. |
Comment by Joseph Bueno [ 2012 Feb 17 ] |
I have attached a patch that sets form login method to POST. |
Comment by Alexei Vladishev [ 2012 Feb 26 ] |
Thanks for the patch, great work. Fixed in pre-1.9.10, revision 25607. |