0034581: Disclosure of default administrator password on login page

ID	Project	Category	View Status	Date Submitted	Last Update
0034581	mantisbt	security	public	2024-08-14 07:54	2024-08-25 04:28

Reporter	anddam	Assigned To	dregad
Priority	normal	Severity	text	Reproducibility	always
Status	closed	Resolution	no change required

Summary	0034581: Disclosure of default administrator password on login page
Description	The application spoils to anonimous users if the default admin is enabled and if that account is using the default password. This increases the risk of the account being taken over by malicious users in an insecure setup.
Additional Information	(image is in dutch)
Tags	No tags attached.
Attached Files	afbeelding.png (44,678 bytes) afbeelding.png (44,678 bytes) afbeelding-2.png (44,873 bytes) afbeelding-2.png (44,873 bytes)

anddam 2024-08-14 07:55 reporter ~0069095	i am currently not able to verify for which versions this is applicable. This is possibly also applicable for the latest version.

dregad 2024-08-15 03:26 developer ~0069100	Hello, Thanks for the report. This behavior is by design. The purpose of this message is to remind the Administrator that they have not changed the administrator account's default password, which is indeed a security risk. The appropriate solution is not to remove the warning, but for the person who installs MantisBT to use a different password (or even better, not to use the default `administrator` account at all and use another. If for some reason you really want to keep the default account and password (which would be a silly thing to do from a security standpoint), you can disable the warnings on the login page by setting `$g_admin_checks = OFF;` in your config_inc.php. For the record, we have a long-standing feature request, to request the admin account and password at install time, that should fix this; see 0010968.