View Issue Details

IDProjectCategoryView StatusLast Update
0026614mantisbtsecuritypublic2020-02-09 07:05
Reporterchadmiss Assigned Todregad  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionno change required 
Product Version2.21.0 
Summary0026614: SOAP: User Credentials appear in plain text in error log
Description

$g_log_destination = 'file:/our/logfile.log';
$g_log_level = LOG_EMAIL | LOG_WEBSERVICE;

when there is an application error (in our case the logfile wasn't writable) the error message gets written into the standard server log (using nginx) the user credentials of the user making a SOAP call are written in the log in plaintext.

that's a major security flaw.

here is the excerpt from the nginx log

2020/01/20 06:00:04 [error] 29188#29188: *4957786 FastCGI sent in stderr: "PHP message: [mantisconnect.php] Error Type: SYSTEM WARNING,
Error Description: is_writable(): open_basedir restriction in effect. File(/our/logfile.log) is not within the allowed path(s): (/home/mantis_installation:/another/path/)
Stack Trace:
logging_api.php L113 is_writable(<string>'/our/logfile.log')
mc_issue_api.php L83 log_event(<integer>64, <string>'getting details for issue \'2379\'')
UnknownFile L? mc_issue_get(<string>'soap-user', <string>'user-password', <integer>2379)
mantisconnect.php L89 handle()" while reading response header from upstream, client: 91.205.36.179, server: our-mantis-server, request: "POST /our-mantis/api/soap/mantisconnect.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm-ais_mantis.sock:", host: "www.our-mantis-host.x"

TagsNo tags attached.

Relationships

related to 0025734 closeddregad LOGFILE_NOT_WRITABLE error triggered if file does not exist 
related to 0019642 closeddregad If log file is not writable, log_event() fails silently 

Activities

dregad

dregad

2020-01-20 05:55

developer   ~0063482

I agree that disclosing a password is a security issue, but the stack trace is generated by PHP (due to the warning, and the way your server is configured), and Mantis does not have control over it.

That being said, we should not trigger a PHP WARNING to begin with. It looks like you're using an older version of MantisBT, and I believe that the problem you're reporting should be fixed in release 2.21.1 (see 0025734).

Could you please test again with the latest version (2.23.0) and confirm whether the behavior persists.

chadmiss

chadmiss

2020-01-20 10:05

reporter   ~0063484

thanks!

updating to 2.21.1 helped to fix the problem that the log can't be written!

dregad

dregad

2020-01-20 11:01

developer   ~0063485

Thanks for the feedback, glad to hear your problem is resolved.

As a side note, if you're concerned about security, I would recommend to upgrade to 2.23.0 as several CVEs and other security issues were fixed since 2.21.1. Look at Changelog for details

Issue History

Date Modified Username Field Change
2020-01-20 04:44 chadmiss New Issue
2020-01-20 05:55 dregad Assigned To => dregad
2020-01-20 05:55 dregad Status new => feedback
2020-01-20 05:55 dregad Note Added: 0063482
2020-01-20 05:55 dregad Relationship added related to 0025734
2020-01-20 05:55 dregad Relationship added related to 0019642
2020-01-20 10:05 chadmiss Note Added: 0063484
2020-01-20 10:05 chadmiss Status feedback => assigned
2020-01-20 11:01 dregad Status assigned => resolved
2020-01-20 11:01 dregad Resolution open => no change required
2020-01-20 11:01 dregad Note Added: 0063485
2020-02-09 07:05 atrol Status resolved => closed