Ad Widget

Collapse

Web interface: incomplete security (1.1.4)

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • ekenberg
    Junior Member
    • Mar 2006
    • 21
    #1

    Web interface: incomplete security (1.1.4)

    After removing all permissions from the Guest user, one would assume the web interface to be completely locked and inaccessible to unauthorized users. However, it's still possible to view sensitive information under "Reports":
    1. Status of Zabbix is shown, including information on the number of hosts/triggers etc
    2. Notification report is still available, showing a summary of usernames and the number and type of notifications sent.
    3. And worst of all, a list of the most busy triggers for the last day/week/month/year is available. This discloses information on monitored hosts, services monitored and the number and severity of triggered events.

    All this information is available without logging in. I consider this a serious security problem. A Guest user with no permissions should see absolutely nothing.

    Or is there something wrong with my installation - is this perhaps not the intended behaviour?

    And a Merry Christmas to you all!
    /Johan Ekenberg
    Tags: None
    • mike_k
      Junior Member
      • May 2006
      • 18
      #2
      I can confirm that report. Absolutely same behavior here.

        Comment

        • Alexei
          Founder, CEO
          Zabbix Certified Trainer
          Zabbix Certified SpecialistZabbix Certified Professional
          • Sep 2004
          • 5654
          #3
          Fixed. Thanks for reporting this.
          Alexei Vladishev
          Creator of Zabbix, Product manager
          New York | Tokyo | Riga
          My Twitter

            Comment

            • cameronsto
              Senior Member
              • Oct 2005
              • 148
              #4
              What can we do to correct this in currently installed versions, specifically 1.1.4? What files do we need to modify?

              Is sourceforge cvs not used anymore? Doesn't look like any frontend php files have been updated in a long time.

              -cameron

                Comment

                • Vince2
                  Member
                  • Oct 2006
                  • 40
                  #5
                  Originally posted by cameronsto
                  What can we do to correct this in currently installed versions, specifically 1.1.4? What files do we need to modify?

                  Is sourceforge cvs not used anymore? Doesn't look like any frontend php files have been updated in a long time.
                  Sourceforge CVS is not used anymore. Zabbix has switched to an internal SVN which is not publicy accessible. I have the same problem than you : it is difficult to backport small fixes to a working installation. You have to upgrade to a newer version that may import new bugs as well.

                    Comment

                    • marcis
                      Junior Member
                      Zabbix Certified Specialist
                      • Jul 2007
                      • 17
                      #6
                      Hi! Haven't tested new 1.5 version jet, but 1.4.4 has the same problem with "IT services" - guests can see all entries from "Monitoring"->"IT services" without any authenticiation.

                        Comment

                        Previous template Next
                        Working...