View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0012957||mantisbt||ldap||public||2011-04-21 12:16||2020-01-25 16:26|
|Priority||high||Severity||tweak||Reproducibility||have not tried|
|Summary||0012957: Password stored md5-unsalted in database when LDAP authentication is enabled|
When LDAP authentication is enabled the password field in the database will automatically update upon login. This is helpful for systems where the authentication system may be migrated from LDAP to local, but is unnecessary in environments where LDAP is a strict requirement. It exposes additional information in an insecure manner (md5 + no salt).
This behavior should be at least configurable if not stored in a more secure manner.
|Steps To Reproduce|
Minor patch would be to:
Document new variable and set it in configuration.
|related to||0015721||closed||grangeway||Functionality to consider porting to master-2.0.x|
|has duplicate||0019393||closed||atrol||Config-Parameter for LDAP password saving|
|has duplicate||0026626||closed||atrol||Add config option to not cache (insecure MD5) password hashes in the database|
|related to||0022156||closed||atrol||Password are stored in PLAIN TEXT|
|related to||0025771||closed||dregad||LDAP not update password|
This issue also occurs when a user is created.
The version of the ldap api in our next branch [which supports multiple servers] doesn't store the password locally. Storing an LDAP password locally is really a security risk IMO.
Reopened, there is no "Fixed in Version" and we will have no "Roadmap" and "Changelog". There is no patch / changeset attached which will confuse any user who has a look at this issue.
this is fixed in the mantis-2.x branch
Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch
Noticed this bug the hard way and bug is still existing in 1.2.19, is this planned to be fixed?
Think "select md5('XX');" is quite simple today to crack with hashcat.net and some decent graphic card
I agree this is an issue, and it will get fixed eventually, but TBH it's not very high on my radar at the moment.
If you're able and willing to contribute a patch, it would be more than welcome. The best would be a pull request on Github, or alternatively a unified diff.
One more PR https://github.com/mantisbt/mantisbt/pull/713
Latest PR for it https://github.com/mantisbt/mantisbt/pull/718
Folks: this is a security issue. I seriously don't understand why it can't be fixed. It's not like there aren't any suitable patches, pull requests (the latest being https://github.com/mantisbt/mantisbt/pull/718) and the like. What is required to get the proper attention for this?
Seems related to: https://mantisbt.org/bugs/view.php?id=22839
Do any of you accept money to work on such things? How many man-hours would it take, and what is your hourly rate?
|2011-04-21 12:16||scmme||New Issue|
|2011-04-21 14:02||siebrand||Priority||normal => high|
|2011-05-03 21:32||scmme||Note Added: 0028743|
|2011-05-24 05:00||vboctor||Tag Attached: patch|
|2011-05-24 05:00||vboctor||Assigned To||=> vboctor|
|2011-05-24 05:00||vboctor||Status||new => acknowledged|
|2011-05-24 05:00||vboctor||Assigned To||vboctor =>|
|2012-02-05 07:38||grangeway||Note Added: 0031127|
|2012-02-05 07:38||grangeway||Status||acknowledged => resolved|
|2012-02-05 07:38||grangeway||Resolution||open => no change required|
|2012-02-05 07:38||grangeway||Assigned To||=> grangeway|
|2012-02-22 16:16||atrol||Status||resolved => closed|
|2012-03-14 18:20||atrol||Note Added: 0031466|
|2012-03-14 18:20||atrol||Status||closed => feedback|
|2012-03-14 18:20||atrol||Resolution||no change required => reopened|
|2012-10-20 20:00||grangeway||Note Added: 0033292|
|2012-10-20 20:00||grangeway||Status||feedback => resolved|
|2012-10-20 20:00||grangeway||Fixed in Version||=> 1.3.0-beta.1|
|2012-10-20 20:00||grangeway||Resolution||reopened => fixed|
|2013-04-05 17:56||grangeway||Status||resolved => acknowledged|
|2013-04-05 17:56||grangeway||Note Added: 0036219|
|2013-04-05 18:56||grangeway||Relationship added||related to 0015721|
|2013-04-06 09:26||dregad||Tag Attached: 2.0.x check|
|2013-04-06 09:26||dregad||Status||acknowledged => resolved|
|2013-04-06 10:32||dregad||Assigned To||grangeway =>|
|2013-04-06 10:32||dregad||Status||resolved => acknowledged|
|2013-04-06 10:32||dregad||Resolution||fixed => reopened|
|2013-04-06 10:32||dregad||Fixed in Version||1.3.0-beta.1 =>|
|2013-04-06 15:18||grangeway||Status||acknowledged => resolved|
|2013-04-06 15:18||grangeway||Resolution||reopened => fixed|
|2013-04-06 15:18||grangeway||Assigned To||=> grangeway|
|2013-04-27 16:34||atrol||Assigned To||grangeway =>|
|2013-04-27 16:34||atrol||Status||resolved => acknowledged|
|2013-04-27 16:34||atrol||Resolution||fixed => open|
|2014-09-23 18:05||grangeway||Tag Detached: 2.0.x check|
|2015-02-23 10:24||atrol||Relationship added||has duplicate 0019393|
|2015-09-09 06:25||andy778||Note Added: 0051423|
|2015-09-09 18:56||dregad||Note Added: 0051430|
|2015-10-16 01:30||atrol||Note Added: 0051638|
|2015-10-16 02:13||atrol||Assigned To||=> community|
|2015-10-16 02:13||atrol||Status||acknowledged => assigned|
|2016-01-29 10:01||atrol||Note Added: 0052437|
|2017-01-10 11:29||dregad||Relationship added||related to 0022156|
|2017-01-10 11:43||atrol||Note Added: 0055027|
|2017-03-08 16:54||atrol||Assigned To||community => dregad|
|2018-11-12 04:38||tfnab||Note Added: 0060946|
|2019-03-18 16:40||rogueresearch||Note Added: 0061701|
|2019-05-17 09:42||dregad||Relationship added||related to 0025771|
|2020-01-25 07:05||atrol||Relationship added||has duplicate 0026626|
|2020-01-25 16:26||rogueresearch||Note Added: 0063518|