[ZBX-6721] HTML code of "authentication.php" contains a ldap_bind_password in clear text if LDAP auth is enabled Created: 2013 Jun 18 Updated: 2020 Jul 16 Due: 2014 Apr 17 Resolved: 2014 Apr 15 |
|
Status: | Closed |
Project: | ZABBIX BUGS AND ISSUES |
Component/s: | Frontend (F) |
Affects Version/s: | 2.0.6 |
Fix Version/s: | 1.8.20rc2, 2.0.11rc1, 2.2.2rc1, 2.3.0 |
Type: | Defect (Security) | Priority: | Major |
Reporter: | Oleksii Zagorskyi | Assignee: | Unassigned |
Resolution: | Fixed | Votes: | 1 |
Labels: | authentication, ldap, security | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified |
Issue Links: |
|
Description |
This security problem is actual only for zabbix-super-administrator user accounts. When this is considered as a problem: Goal: Possible solution: I'm not sure, but maybe it would worth to show some grayed default text in the box, like "Password stored into DB, type new password if required." if the password is not empty in the DB. Somehow related issue |
Comments |
Comment by Volker Fröhlich [ 2013 Oct 05 ] |
Might be http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5572 |
Comment by Eduards Samersovs (Inactive) [ 2014 Jan 13 ] |
Fixed in development branch svn://svn.zabbix.com/branches/dev/ZBX-6721 |
Comment by Volker Fröhlich [ 2014 Jan 13 ] |
Is this issue what the above CVE is about? |
Comment by Oleksii Zagorskyi [ 2014 Jan 13 ] |
dev branch tested. (1) if we first time try to enable LDAP auth then we see there "Change password" button which ... I have to say misleads. Eduards RESOVLED r.41692 oleg.egorov CLOSED |
Comment by Oleksii Zagorskyi [ 2014 Jan 13 ] |
(2) after I click to the "Change password" button, specified an incorrect Bind passwords, tried Test or Save and in both cases I'm getting expected errors. Eduards Due to the safety, we can't show password for future editing. I understand, this is not user friendly, but we can't do that. oleg.egorov CLOSED <richlv> this seriously devalues testing - we test, it works - then we have to re-enter all detail - possibly making some mistake. we can not test the exact same config we would be saving. what is the security concern with keeping credentials in the current session ? -> REOPENED Eduards We cannot use session to store form data due of multitab issue. zalex_ua Hmmm, cannot get it. Then why it was possible before current development ? Eduards Before was bug! )) oleg.egorov CLOSED AS DISCUSSED <richlv> please add the conclusions of the discussion here so we don't have to revisit this later |
Comment by Oleksii Zagorskyi [ 2014 Jan 13 ] |
Volker, as I see we should resolve the CVE report. |
Comment by Volker Fröhlich [ 2014 Jan 13 ] |
Very good! Can you please provide a 1.8 backport too? |
Comment by Oleksii Zagorskyi [ 2014 Jan 13 ] |
Only if devs will be so kind to do it |
Comment by Oleg Egorov (Inactive) [ 2014 Jan 14 ] |
(3) Please fix coding style, div long rows. Eduards RESOLVED r.41692 oleg.egorov CLOSED |
Comment by Oleg Egorov (Inactive) [ 2014 Jan 14 ] |
(5) "Authentication method changed to LDAP", and if re-save form we see again "Authentication method changed to LDAP" Eduards RESOLVED r.41692 oleg.egorov CLOSED |
Comment by Oleg Egorov (Inactive) [ 2014 Jan 14 ] |
Problems (4), (5) and (7) exist in 2.0.11 too... Eduards This dev branch is made from 2.0.11rc1 and will be integrated in all versions |
Comment by Oleg Egorov (Inactive) [ 2014 Jan 14 ] |
(6) After clicking on "Change password" field "Bind passord" is not empty... zalex_ua are you sure? oleg.egorov CLOSED, browser cache |
Comment by Oleg Egorov (Inactive) [ 2014 Jan 14 ] |
(7) Open LDAP configuration, remove field value, for example from "Search attribute", click save Field not empty. Eduards RESOLVED r.41692 oleg.egorov Correct and saved LDAP authentication, remove "Search attribute", then save. Warning. Incorrect value for field "Search attribute": cannot be empty. But field "Search attribute" now isn't empty, there is data, which was before removing Other problem, if in form exist problems, after saving reset values REOPEN Eduards RESOLVED r.41737 oleg.egorov CLOSED |
Comment by Oleg Egorov (Inactive) [ 2014 Jan 21 ] |
(8) Default authentication: LDAP, change to Internal and again to LDAP... Eduards RESOLVED r.41703 Interesting moment, fields Login (user) is not empty, there I see "Admin" oleg.egorov CLOSED |
Comment by Oleg Egorov (Inactive) [ 2014 Jan 21 ] |
(9) Why after re-saving I should enter User password again and again... zalex_ua I suppose your question duplicates mine (2) oleg.egorov CLOSED |
Comment by Oleksii Zagorskyi [ 2014 Jan 21 ] |
(10) After changes do you test it at all? I type correct User password and to to Test and I get:
Undefined variable: dn [include/classes/class.cldap.php:136]
Undefined variable: ldapAccountOk [authentication.php:154]
if I try to Save (with correct User passwprd) then I see green success header and this error bottom of it:
Undefined variable: dn [include/classes/class.cldap.php:136]
If I try to test with incorrect User password, then: Undefined variable: dn [include/classes/class.cldap.php:136] ldap_bind(): Unable to bind to server: Invalid credentials [include/classes/class.cldap.php:158] Login name or password is incorrect! Undefined variable: ldapAccountOk [authentication.php:154] Eduards RESOLVED r.41737 Sorry my mistake! oleg.egorov CLOSED |
Comment by Oleg Egorov (Inactive) [ 2014 Jan 22 ] |
(11) class.cldap.php if () { $dn = null; } elseif () { $dn = 1; } elseif () { $dn = 2; } else { $dn = null; } But should be: $dn = null; if () { } elseif () { $dn = 1; } elseif () { $dn = 2; } else { } Eduards RESOLVED r.41775 oleg.egorov CLOSED |
Comment by Oleg Egorov (Inactive) [ 2014 Jan 23 ] |
TESTED |
Comment by Oleksii Zagorskyi [ 2014 Jan 23 ] |
(11) Need to reflect new logic in documentation. |
Comment by Eduards Samersovs (Inactive) [ 2014 Jan 23 ] |
Fixed in versions 2.3.0 (trunk) r.41784, 2.2.2rc1 r.41783, 2.0.11.rc1 r.41781 |
Comment by richlv [ 2014 Jan 27 ] |
------------------------- Zabbix frontend may expose LDAP authentication password to users with Superadmin privileges. Please use CVE-2013-5572 to refer to this vulnerability. ------- Zabbix stores password for binding to LDAP. This password was transmitted to any user of Superadmin privileges who would open authentication configuration page. Zabbix user or admin level privileges would not allow access to this password. ----------------- All of the Zabbix versions are vulnerable to this problem. -------------- This vulnerability has been fixed in the latest releases of Zabbix. The fix is available in the following Zabbix releases: |
Comment by Eduards Samersovs (Inactive) [ 2014 Feb 06 ] |
Fixed 1.8 in development branch svn://svn.zabbix.com/branches/dev/ZBX-6721-18 |
Comment by Volker Fröhlich [ 2014 Feb 06 ] |
Thanks a lot, Eduards! |
Comment by Pavels Jelisejevs (Inactive) [ 2014 Feb 06 ] |
(12) I've made a minor fix in r42343, please review. Eduards CLOSED |
Comment by Pavels Jelisejevs (Inactive) [ 2014 Feb 06 ] |
TESTED. If (12) is OK - you can merge. |
Comment by Eduards Samersovs (Inactive) [ 2014 Feb 06 ] |
Fixed in versions 1.8.20rc2 r.42345 |
Comment by richlv [ 2014 Mar 03 ] |
(13) changelog entry is "fixed LDAP authentication" - that is way, way too vague. please, use something like "removed LDAP bind password from authentication page source" or similar Fixed in versions 2.3.0 (trunk) r.44462, 2.2.2rc1 r.44461, 2.0.11.rc1 r.44460, 1.8.20rc2 r.44459 |