|
Duplicate |
Team B
[ZBXNEXT-7397] Insecure md5 is used for verifying passwords Created: 2021 Dec 27 Updated: 2024 Apr 10 Resolved: 2022 Mar 07 |
|
| Status: | Closed |
| Project: | ZABBIX FEATURE REQUESTS |
| Component/s: | API (A), Server (S) |
| Affects Version/s: | 6.0.0beta1 |
| Fix Version/s: | 6.2.0alpha1, 6.2 (plan) |
| Type: | Change Request | Priority: | High |
| Reporter: | Artjoms Rimdjonoks | Assignee: | Martins Krisjanis (Inactive) |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | frontend, password, security | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||
| Team: | Team B |
||||
| Sprint: | Sprint 84 (Jan 2022), Sprint 85 (Feb 2022) | ||||
| Story Points: | 0.25 | ||||
| Description |
|
Zabbix front-end still allows using md5 for verifying passwords (CUser.php): private static function verifyPassword($password, array $db_user) {
if (strlen($db_user['passwd']) > ZBX_MD5_SIZE) {
return password_verify($password, $db_user['passwd']);
}
if (hash_equals($db_user['passwd'], md5($password))) {
Apparently it was intentional to keep it for backwards compatibility (check ZBXNEXT-1898). |
| Comments |
| Comment by Alexei Vladishev [ 2022 Feb 10 ] |
|
I would suggest to leave the incorrect login message as it is in 6.0. No need to change it. |
| Comment by Martins Krisjanis (Inactive) [ 2022 Feb 14 ] |
|
Frontend implemented in development branch feature/ZBXNEXT-7397-5.5 |
| Comment by Martins Krisjanis (Inactive) [ 2022 Feb 25 ] |
|
Implemented in:
|
| Comment by Martins Krisjanis (Inactive) [ 2022 Mar 02 ] |
|
Documentation updated:
|