Relationship Graph

View IssueDependency GraphShow Summary
Relationship Graph
related to related to child of child of duplicate of duplicate of

View Issue Details

WikiJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0026614mantisbtsecuritypublic2020-01-20 04:442020-02-09 07:05
Reporterchadmiss Assigned Todregad  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionno change required 
Product Version2.21.0 
Summary0026614: SOAP: User Credentials appear in plain text in error log
Description

$g_log_destination = 'file:/our/logfile.log';
$g_log_level = LOG_EMAIL | LOG_WEBSERVICE;

when there is an application error (in our case the logfile wasn't writable) the error message gets written into the standard server log (using nginx) the user credentials of the user making a SOAP call are written in the log in plaintext.

that's a major security flaw.

here is the excerpt from the nginx log

2020/01/20 06:00:04 [error] 29188#29188: *4957786 FastCGI sent in stderr: "PHP message: [mantisconnect.php] Error Type: SYSTEM WARNING,
Error Description: is_writable(): open_basedir restriction in effect. File(/our/logfile.log) is not within the allowed path(s): (/home/mantis_installation:/another/path/)
Stack Trace:
logging_api.php L113 is_writable(<string>'/our/logfile.log')
mc_issue_api.php L83 log_event(<integer>64, <string>'getting details for issue \'2379\'')
UnknownFile L? mc_issue_get(<string>'soap-user', <string>'user-password', <integer>2379)
mantisconnect.php L89 handle()" while reading response header from upstream, client: 91.205.36.179, server: our-mantis-server, request: "POST /our-mantis/api/soap/mantisconnect.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm-ais_mantis.sock:", host: "www.our-mantis-host.x"

TagsNo tags attached.

Relationships

Relationship GraphDependency Graph
related to 0025734 closeddregad LOGFILE_NOT_WRITABLE error triggered if file does not exist 
related to 0019642 closeddregad If log file is not writable, log_event() fails silently 

Activities

dregad

dregad

2020-01-20 05:55

developer   ~0063482

I agree that disclosing a password is a security issue, but the stack trace is generated by PHP (due to the warning, and the way your server is configured), and Mantis does not have control over it.

That being said, we should not trigger a PHP WARNING to begin with. It looks like you're using an older version of MantisBT, and I believe that the problem you're reporting should be fixed in release 2.21.1 (see 0025734).

Could you please test again with the latest version (2.23.0) and confirm whether the behavior persists.
chadmiss

chadmiss

2020-01-20 10:05

reporter   ~0063484

thanks!

updating to 2.21.1 helped to fix the problem that the log can't be written!
dregad

dregad

2020-01-20 11:01

developer   ~0063485

Thanks for the feedback, glad to hear your problem is resolved.

As a side note, if you're concerned about security, I would recommend to upgrade to 2.23.0 as several CVEs and other security issues were fixed since 2.21.1. Look at Changelog for details