Username/Password for zabbix credentials available for everyone who can see dashboard

[nf404]

• [ x] Bug report

For bug report please include this information:

• What Grafana version are you using? 4.2.0
• What Zabbix version are you using? 2.4
• What zabbix plugin version are you using? 3.3.0
• What OS are you running grafana on? Debian 4.6-6 (2016-07-26)
• What did you do?
  When I open any zabbix dashboard I see ajax requests with zabbix user & password inside:
  https://host/api/datasources/proxy/23
  {jsonrpc: "2.0", method: "user.login", params: {user: "XXX", password: "XXXXXXXXX"}, id: 1}
• What was the expected result?
  User & password allready stored in datasource. There is no reason show it to any user viewing dashboard.
• What happened instead?
  Every user can see zabbix user/password if has access to view dashboard

[alexanderzobnin]

Duplicated, see #312

[alisson276]

This is not a duplicated issue, the bug #312 is about encrypt the user and password into Grafana DB, this is about browser request the login and pass user and password on "firebug" or similiar softwares to track the connection on browser.

The real need is that login and "auth", on proy mode, doesn't should sent that information on browser, because a user can get that information and use it out of grafana (with scripts or wherever).

A method for "mask" it is using the self user and password of grafana login to auth on API of Zabbix, is there possible?

[alexanderzobnin]

Now plugin works on client side only (all code is inside a browser), so I can't do it now. But I'm working on backend proxy which will make authentication also. But not sure about estimated time.

[eertul]

Hello Alexander, it is hard to maintain this issue for me. Do you have any information or update about the situation? Could you find any solution for this leak?

[alexanderzobnin]

@eertul I can suggest a temporary solution for this. My idea is to use small and simple proxy running on grafana or zabbix server which will handle API requests. Proxy should parse request params and if method is user.login, it should replace username and password by values stored in its config. Datasource in grafana can use any fake credentials. Since user authorized, proxy will store auth token and add it into every request.
Please, let me know if you are interested in this. I can write and share this proxy. In the future, it should be included in the backend part of plugin.

[eertul]

Thanks for the response, it will be useful for hidind the pw on html source. But if attacer would try with fake credentials, it will work as same either.

[alexanderzobnin]

Hm... Sorry, you're right, proxy has to use authentication which Grafana supports, basic auth, for instance. So you will be able to secure configure login and password for the datasource.

[tammytankian]

hello @alexanderzobnin, any news about this issue?

This is dangerous! this client reported the error to us, but I don't know how many times this happened and was not reported (with our clients, and with other users). :/

[alexanderzobnin]

@tammytankian I don't wanna promise anything, but next big task I'm going to start is migrating Zabbix to backend plugin. This will solve this issue, but that's a lot of work.

[alexanderzobnin]

This issue is fixed finally with the backend merged to master branch.