[ZBXNEXT-2461] Password and passphrase should not be shown in frontend input boxes Created: 2013 Mar 19 Updated: 2021 May 21 Resolved: 2021 May 21 |
|
Status: | Closed |
Project: | ZABBIX FEATURE REQUESTS |
Component/s: | API (A), Frontend (F) |
Affects Version/s: | 2.4.0 |
Fix Version/s: | None |
Type: | Change Request | Priority: | Trivial |
Reporter: | Kodai Terashima | Assignee: | Unassigned |
Resolution: | Fixed | Votes: | 25 |
Labels: | security, unsquashable | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified |
Attachments: | CProxyPatch.txt | ||||||||||||||||
Issue Links: |
|
Description |
type=text is used for following input boxes on frontend, but these are security related information. type=password is better for them.
|
Comments |
Comment by richlv [ 2013 Mar 19 ] |
this has been discussed before. the problem is that we are not entering the password once for authentication, it is entered as part of the configuration. thus we would still want to review it later. there could an option to "show/hide password" next to such fields (how about community in snmp v1&2c ?), but that's more like a feature development zalex_ua I agree with Rich. |
Comment by Marc [ 2013 Mar 19 ] |
This idea sounds reasonable to me. Hiding such fields (incl. snmp community strings) with the option to show them would improve security a little bit without having to make disruptive changes. |
Comment by Oleksii Zagorskyi [ 2013 Jun 18 ] |
|
Comment by richlv [ 2015 Sep 15 ] |
|
Comment by sbindley [ 2018 Apr 04 ] |
This seems to still be the case (Text box) in 3.4.7, why can't this be changed? I modified configuration.item.edit.php to use CPassBox vs. CTextBox and didn't see any problems creating the item. The password column in items is still clear text but at least the database is restricted more so than when you have multiple Zabbix Admins. |
Comment by sbindley [ 2018 Oct 12 ] |
Any reason this can't be fixed? Every time I upgrade I have to go edit all the files with a password field. (new CTextBox('password' please? |
Comment by Erhan ERTUL [ 2018 Oct 13 ] |
I am an enterprise monitoring engineer and I shouldn't know all passwords I need in environment. I need to make the responsible team enter the needed pw once, then I should use it whenever I need without seeing the password. (for example choose pw from safe in snmpv3 item) And also maybe a cyberark integration needed ahead! The world is going through self changing passwords. Also, I use version 4.0 now and there's still shown passwords everywhere. |
Comment by Nick Miethe [ 2018 Nov 19 ] |
Including a patch of the API code to hide PSK information from non Super Admins in get requests. |
Comment by Andrey Denisov [ 2019 May 12 ] |
DB monitors are also affected by this "feature". We can't fully use DB monitor items without hiding passwords in web. Just hiding password fields in web will help a lot: when you unsure about password you can retype it and that's all, BUT no user can see password by just clicking DB monitor item.
|
Comment by Smirnov Dmitriy [ 2019 Jul 09 ] |
I would like to support this CR. When multiple teams use Zabbix for monitoring collective infrastrusture open passwords cause concern. |
Comment by Alexei Vladishev [ 2021 May 21 ] |
It has been already fixed in 5.2 by masking of user macros and ability to keep them in an external Vault |