View Issue Details

IDProjectCategoryView StatusLast Update
0008635mantisbtauthenticationpublic2007-12-20 01:37
Reporterbethysgu Assigned Tovboctor  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionduplicate 
Product Version1.1.0rc3 
Summary0008635: The encryption password is insecure
Description

Since the authentication process is trying several methods to verify the password (plain text), the encryption password is inefficient. Somebody can use the encrypted password stored in the database to authenticate under the account of someone else.

TagsNo tags attached.

Relationships

duplicate of 0008467 closedvboctor Users can login using the MD5 hash of the password 

Activities

thraxisp

thraxisp

2007-12-03 12:02

reporter   ~0016354

You need access to the database to make this happen. We assume that only the trusted administrator could do this.

There are several documented ways to secure the database. (ref http://www.logicaloutcome.ca/commentary/mantis_secure_mysql_setup.html )

bethysgu

bethysgu

2007-12-03 12:14

reporter   ~0016355

In this case, the encryption of the password only adds no special protection

vboctor

vboctor

2007-12-04 00:36

manager   ~0016357

I've fixed this as part of 0008467. Let me know if you have any comments before I resolve this issue as a duplicate.

bethysgu

bethysgu

2007-12-04 03:57

reporter   ~0016360

I can not see the description of the bug 0008467. I suppose that the bug is closed, and I do not have enough right of access.

But when reading the title, I think also that is a duplicate.

When I see the source code it's ok. I excuse me because I was trying something with the ldap authentication. (http://www.mantisbt.org/forums/viewtopic.php?f=4&t=3491&p=9662&hilit=ldap#p9662)
it is already corrected in the 1.1.0rc3 version.

vboctor

vboctor

2007-12-04 10:33

manager   ~0016368

This is a duplicate of 0008467 which is now marked as public.

Issue History

Date Modified Username Field Change
2007-12-03 11:50 bethysgu New Issue
2007-12-03 12:02 thraxisp Note Added: 0016354
2007-12-03 12:03 thraxisp Summary The encryption password is inefficient => The encryption password is insecure
2007-12-03 12:03 thraxisp Description Updated
2007-12-03 12:14 bethysgu Note Added: 0016355
2007-12-04 00:36 vboctor Note Added: 0016357
2007-12-04 00:36 vboctor Status new => feedback
2007-12-04 03:57 bethysgu Note Added: 0016360
2007-12-04 10:33 vboctor Relationship added duplicate of 0008467
2007-12-04 10:33 vboctor Duplicate ID 0 => 8467
2007-12-04 10:33 vboctor Status feedback => resolved
2007-12-04 10:33 vboctor Resolution open => duplicate
2007-12-04 10:33 vboctor Assigned To => vboctor
2007-12-04 10:33 vboctor Note Added: 0016368
2007-12-20 01:37 vboctor Status resolved => closed