View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0025380||mantisbt||security||public||2019-01-23 21:15||2019-01-23 21:15|
|Target Version||Fixed in Version|
|Summary||0025380: Should warn if config is globally readable|
It's great that Mantis warns if the admin directory is left around.
Likewise, I think it would be great if Mantis warned if at least its config_inc.php was world readable, possibly other _inc.php files, but I haven't learned what those are for yet.
It contains passwords for the database, likely smtp, and the salt.
Of course, a distribution's package can set ownership and permissions properly. But, it would be a nice double check for Mantis to do this in case a distribution doesn't do this. (Mine didn't, but I've reported that.) It would also be good for people manually installing who don't get the benefit of their distribution potentially doing this, or if someone inadvertently changes permissions.
|Tags||No tags attached.|