-
Notifications
You must be signed in to change notification settings - Fork 462
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Username/Password for zabbix credentials available for everyone who can see dashboard #380
Comments
Duplicated, see #312 |
This is not a duplicated issue, the bug #312 is about encrypt the user and password into Grafana DB, this is about browser request the login and pass user and password on "firebug" or similiar softwares to track the connection on browser. The real need is that login and "auth", on proy mode, doesn't should sent that information on browser, because a user can get that information and use it out of grafana (with scripts or wherever). A method for "mask" it is using the self user and password of grafana login to auth on API of Zabbix, is there possible? |
Now plugin works on client side only (all code is inside a browser), so I can't do it now. But I'm working on backend proxy which will make authentication also. But not sure about estimated time. |
Hello Alexander, it is hard to maintain this issue for me. Do you have any information or update about the situation? Could you find any solution for this leak? |
@eertul I can suggest a temporary solution for this. My idea is to use small and simple proxy running on grafana or zabbix server which will handle API requests. Proxy should parse request params and if method is |
Thanks for the response, it will be useful for hidind the pw on html source. But if attacer would try with fake credentials, it will work as same either. |
Hm... Sorry, you're right, proxy has to use authentication which Grafana supports, basic auth, for instance. So you will be able to secure configure login and password for the datasource. |
hello @alexanderzobnin, any news about this issue? This is dangerous! this client reported the error to us, but I don't know how many times this happened and was not reported (with our clients, and with other users). :/ |
@tammytankian I don't wanna promise anything, but next big task I'm going to start is migrating Zabbix to backend plugin. This will solve this issue, but that's a lot of work. |
This issue is fixed finally with the backend merged to master branch. |
For bug report please include this information:
When I open any zabbix dashboard I see ajax requests with zabbix user & password inside:
https://host/api/datasources/proxy/23
{jsonrpc: "2.0", method: "user.login", params: {user: "XXX", password: "XXXXXXXXX"}, id: 1}
User & password allready stored in datasource. There is no reason show it to any user viewing dashboard.
Every user can see zabbix user/password if has access to view dashboard
The text was updated successfully, but these errors were encountered: