View Issue Details

IDProjectCategoryView StatusLast Update
0023720mantisbtsecuritypublic2023-06-04 08:05
ReporterMr.Bricodage Assigned Todregad  
PrioritynormalSeverityfeatureReproducibilityalways
Status closedResolutionnot fixable 
Product Version2.9.0 
Summary0023720: Passwords (plaintext) in Mantis configuration file
Description

Hello,

password stored in Mantis config file is a security issue, even if file access is well locked (chmod 600, owned by apache process). Example : somebody that had/usurpt root access will see easily information to read/write/delete mysql data on a SQL server where he has no rights.

I know that somebody who access the config file containing encrypted password will be able to decrypt the password using Mantis methods. Password encryption is a "border" that force the viewer to know how Mantis works to decrypt. In some situations, that risk avoidance will discourage the exploit or delay it.

The question has been asked in 2008 (0005208) and ticket has been answered (not fixable) and closed, but I need a updated answer in 2017 context (salt, ...) :

Is it feasible to encrypt or hide passwords in Mantis configuration file ?

Steps To Reproduce

Consult a config_inc.php file is config folder : $g_db_password and $g_smtp_password (if configured) are filled with readable password.

TagsNo tags attached.

Relationships

related to 0005208 closedgrangeway Encrypt plain smtp_password and db_password configuration fields in configuration? 

Activities

vboctor

vboctor

2017-12-12 20:11

manager   ~0058379

A common pattern for this is to use environment variables for secrets that are fetched in config_inc.php. Is there a reason why this doesn't work for you?

Mr.Bricodage

Mr.Bricodage

2017-12-13 01:19

reporter   ~0058384

Hello

Thanks for the feedback.
I wasn't aware of this common pattern. I have to check with my operations team to evaluate the solution.
Is it documented ?

Maybe that a warning could be raised by one step of the admin/check/index page if no environment variable is used to inform that a way exists to secure a bit the installation ?

vboctor

vboctor

2017-12-13 02:52

manager   ~0058385

It is not a common pattern for MantisBT, but it separates passwords from config and gives you control on how you manage them.

Bozz

Bozz

2018-03-23 12:09

reporter   ~0059295

Hi, I need to know how this concepts work as well. Does anyone have a link or reference I can use to learn about it and how to implement this with Mantis ?
Thank you.

Mr.Bricodage

Mr.Bricodage

2018-03-27 15:50

reporter   ~0059324

For the record, this is my feedback about how to configure a apache/debian environment to use environment variable as mantis password storage (thanks @vboctor for the tips) :

1) edit /etc/environment (create it if needed) to store your information (the mantis password)
MANTIS_PASSWORD=<MANTIS_DB_PWD>

2) tell apache to use env vars : in /etc/apache2/envvars file, add the following lines
. /etc/environment
export MANTIS_PASSWORD

3) restart apache service

4) use env vars in mantis config file mantis/config/config_inc.php
$g_db_password = getenv('MANTIS_PASSWORD');

Step 1 has to be adapted regarding your OS.

gkeepa

gkeepa

2023-05-22 15:47

reporter   ~0067770

hi, im using windows and iis as os and webserver, just wondering if there are other ways of achieving this? by putting password in /etc/environment, would it still be plain text to people with the right privillege?

dregad

dregad

2023-05-23 02:54

developer   ~0067771

by putting password in /etc/environment, would it still be plain text to people with the right privillege?

Yes

dregad

dregad

2023-05-23 04:00

developer   ~0067774

The situation in 2017 (or in 2023 for that matter) has not changed. There is no really secure alternative to storing the password in plain-text somewhere.

In terms of best practice, file containing sensitive information should be stored outside of web root.

Encryption is pointless as it needs to be reversible so it would be security by obscurity.