View Issue Details

IDProjectCategoryView StatusLast Update
0023720mantisbtsecuritypublic2018-03-27 15:50
ReporterMr.Bricodage Assigned To 
PrioritynormalSeverityfeatureReproducibilityalways
Status newResolutionopen 
Product Version2.9.0 
Target VersionFixed in Version 
Summary0023720: Passwords (plaintext) in Mantis configuration file
Description

Hello,

password stored in Mantis config file is a security issue, even if file access is well locked (chmod 600, owned by apache process). Example : somebody that had/usurpt root access will see easily information to read/write/delete mysql data on a SQL server where he has no rights.

I know that somebody who access the config file containing encrypted password will be able to decrypt the password using Mantis methods. Password encryption is a "border" that force the viewer to know how Mantis works to decrypt. In some situations, that risk avoidance will discourage the exploit or delay it.

The question has been asked in 2008 (0005208) and ticket has been answered (not fixable) and closed, but I need a updated answer in 2017 context (salt, ...) :

Is it feasible to encrypt or hide passwords in Mantis configuration file ?

Steps To Reproduce

Consult a config_inc.php file is config folder : $g_db_password and $g_smtp_password (if configured) are filled with readable password.

TagsNo tags attached.

Activities

vboctor

vboctor

2017-12-12 20:11

manager   ~0058379

A common pattern for this is to use environment variables for secrets that are fetched in config_inc.php. Is there a reason why this doesn't work for you?

Mr.Bricodage

Mr.Bricodage

2017-12-13 01:19

reporter   ~0058384

Hello

Thanks for the feedback.
I wasn't aware of this common pattern. I have to check with my operations team to evaluate the solution.
Is it documented ?

Maybe that a warning could be raised by one step of the admin/check/index page if no environment variable is used to inform that a way exists to secure a bit the installation ?

vboctor

vboctor

2017-12-13 02:52

manager   ~0058385

It is not a common pattern for MantisBT, but it separates passwords from config and gives you control on how you manage them.

Bozz

Bozz

2018-03-23 12:09

reporter   ~0059295

Hi, I need to know how this concepts work as well. Does anyone have a link or reference I can use to learn about it and how to implement this with Mantis ?
Thank you.

Mr.Bricodage

Mr.Bricodage

2018-03-27 15:50

reporter   ~0059324

For the record, this is my feedback about how to configure a apache/debian environment to use environment variable as mantis password storage (thanks @vboctor for the tips) :

1) edit /etc/environment (create it if needed) to store your information (the mantis password)
MANTIS_PASSWORD=<MANTIS_DB_PWD>

2) tell apache to use env vars : in /etc/apache2/envvars file, add the following lines
. /etc/environment
export MANTIS_PASSWORD

3) restart apache service

4) use env vars in mantis config file mantis/config/config_inc.php
$g_db_password = getenv('MANTIS_PASSWORD');

Step 1 has to be adapted regarding your OS.

Issue History

Date Modified Username Field Change
2017-12-12 17:23 Mr.Bricodage New Issue
2017-12-12 20:11 vboctor Note Added: 0058379
2017-12-13 01:19 Mr.Bricodage Note Added: 0058384
2017-12-13 02:52 vboctor Note Added: 0058385
2018-03-23 12:09 Bozz Note Added: 0059295
2018-03-27 15:50 Mr.Bricodage Note Added: 0059324