View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0008635||mantisbt||authentication||public||2007-12-03 11:50||2007-12-20 01:37|
|Summary||0008635: The encryption password is insecure|
Since the authentication process is trying several methods to verify the password (plain text), the encryption password is inefficient. Somebody can use the encrypted password stored in the database to authenticate under the account of someone else.
|Tags||No tags attached.|
You need access to the database to make this happen. We assume that only the trusted administrator could do this.
There are several documented ways to secure the database. (ref http://www.logicaloutcome.ca/commentary/mantis_secure_mysql_setup.html )
In this case, the encryption of the password only adds no special protection
I've fixed this as part of 0008467. Let me know if you have any comments before I resolve this issue as a duplicate.
I can not see the description of the bug 0008467. I suppose that the bug is closed, and I do not have enough right of access.
But when reading the title, I think also that is a duplicate.
When I see the source code it's ok. I excuse me because I was trying something with the ldap authentication. (http://www.mantisbt.org/forums/viewtopic.php?f=4&t=3491&p=9662&hilit=ldap#p9662)
This is a duplicate of 0008467 which is now marked as public.
|2007-12-03 11:50||bethysgu||New Issue|
|2007-12-03 12:02||thraxisp||Note Added: 0016354|
|2007-12-03 12:03||thraxisp||Summary||The encryption password is inefficient => The encryption password is insecure|
|2007-12-03 12:03||thraxisp||Description Updated|
|2007-12-03 12:14||bethysgu||Note Added: 0016355|
|2007-12-04 00:36||vboctor||Note Added: 0016357|
|2007-12-04 00:36||vboctor||Status||new => feedback|
|2007-12-04 03:57||bethysgu||Note Added: 0016360|
|2007-12-04 10:33||vboctor||Relationship added||duplicate of 0008467|
|2007-12-04 10:33||vboctor||Duplicate ID||0 => 8467|
|2007-12-04 10:33||vboctor||Status||feedback => resolved|
|2007-12-04 10:33||vboctor||Resolution||open => duplicate|
|2007-12-04 10:33||vboctor||Assigned To||=> vboctor|
|2007-12-04 10:33||vboctor||Note Added: 0016368|
|2007-12-20 01:37||vboctor||Status||resolved => closed|