View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0026614||mantisbt||security||public||2020-01-20 04:44||2020-02-09 07:05|
|Status||closed||Resolution||no change required|
|Summary||0026614: SOAP: User Credentials appear in plain text in error log|
$g_log_destination = 'file:/our/logfile.log';
when there is an application error (in our case the logfile wasn't writable) the error message gets written into the standard server log (using nginx) the user credentials of the user making a SOAP call are written in the log in plaintext.
that's a major security flaw.
here is the excerpt from the nginx log
2020/01/20 06:00:04 [error] 29188#29188: *4957786 FastCGI sent in stderr: "PHP message: [mantisconnect.php] Error Type: SYSTEM WARNING,
|Tags||No tags attached.|
I agree that disclosing a password is a security issue, but the stack trace is generated by PHP (due to the warning, and the way your server is configured), and Mantis does not have control over it.
That being said, we should not trigger a PHP WARNING to begin with. It looks like you're using an older version of MantisBT, and I believe that the problem you're reporting should be fixed in release 2.21.1 (see 0025734).
Could you please test again with the latest version (2.23.0) and confirm whether the behavior persists.
updating to 2.21.1 helped to fix the problem that the log can't be written!
Thanks for the feedback, glad to hear your problem is resolved.
As a side note, if you're concerned about security, I would recommend to upgrade to 2.23.0 as several CVEs and other security issues were fixed since 2.21.1. Look at Changelog for details
|2020-01-20 04:44||chadmiss||New Issue|
|2020-01-20 05:55||dregad||Assigned To||=> dregad|
|2020-01-20 05:55||dregad||Status||new => feedback|
|2020-01-20 05:55||dregad||Note Added: 0063482|
|2020-01-20 05:55||dregad||Relationship added||related to 0025734|
|2020-01-20 05:55||dregad||Relationship added||related to 0019642|
|2020-01-20 10:05||chadmiss||Note Added: 0063484|
|2020-01-20 10:05||chadmiss||Status||feedback => assigned|
|2020-01-20 11:01||dregad||Status||assigned => resolved|
|2020-01-20 11:01||dregad||Resolution||open => no change required|
|2020-01-20 11:01||dregad||Note Added: 0063485|
|2020-02-09 07:05||atrol||Status||resolved => closed|