2014-11-26 11:05 EST

View Issue Details Jump to Notes ] Wiki ]
IDProjectCategoryView StatusLast Update
0017363mantisbtauthenticationpublic2014-05-23 05:01
Reporterdoug_stevens 
Assigned Todregad 
PrioritynormalSeveritymajorReproducibilityalways
StatusassignedResolutionopen 
Product Version 
Target VersionFixed in Version 
Summary0017363: Authentication is done using http (non-ssl) and passwords appear in plaintext.
DescriptionWhen logging in mantis, the login is done using http instead of https. Passwords appear in plaintext on the network, and can be captured by someone other than the user.
Steps To Reproduce* Start wireshark on the network adapter connected to the outside net.
* Set the wireshark capture filter for
  "tcp port http and host www.mantisbt.org"
* Start the wireshark capture and log into http://www.mantisbt.org/bugs. [^]
* Stop the wireshark capture and locate the POST packet.
* In the middle window, expand "Line-based text data", which shows the
  password (I've replaced the value with x's) ...
  "return=%2Fbugs%2Fmy_view_page.php&username=doug_stevens&password=xxxxxxxxx"
Additional InformationBtw, mantisbt is a great tool. It's the only bugtracking system I found that could be installed on a hosted server, and the installation is really simple.
TagsNo tags attached.
Attached Files

- Relationships
+ Relationships

-  Notes
User avatar

~0040614

grangeway (reporter)

Obviously if you hosting Mantis yourself, use HTTPS/SSL

In terms of Mantisbt.org, I completely agree - personally, I'd get a free certificate and run the whole site over SSL and be done with it these days.
User avatar

~0040617

dregad (developer)

Reminder sent to: vboctor

Victor,

I think that's a sensible thing to do. Can you take care of obtaining a certificate ? I can set it up on the server.

http://cert.startcom.org/ [^]
https://www.godaddy.com/ssl/ssl-open-source.aspx [^]

I think you should do this for mantisbt.mobi as well (although you can't apply for GoDaddy's open source offer for this).
User avatar

~0040619

vboctor (administrator)

I will sort out the certificate.
User avatar

~0040629

dregad (developer)

SSL should now be operational - https://mantisbt.org [^]

For now I have it setup with two distinct configs, to give us time to test and see if there are any issues with the site's various components (tracker, forums, wiki, blog, etc)

Once we're OK, I'll merge the 2 configs and setup an automated redirection so that any http request goes to https.
User avatar

~0040630

rombert (developer)

> Once we're OK, I'll merge the 2 configs and setup an automated redirection so that any http request goes to https.

Not sure if it's in your plan, but HSTS would be nice, so that we don't have a redirect from http to https from clients which have already visited our site.
User avatar

~0040631

dregad (developer)

Shouldn't be a problem setting up HSTS, it's just an extra header to send.

I didn't notice it last night (it was late...) but https seems to cause issues with rendering the bugtracker, looks like the css is not loaded, not sure why.
User avatar

~0040632

rombert (developer)

Many assets are loaded using http, e.g.

<link rel="stylesheet" type="text/css" href="http://www.mantisbt.org/bugs/css/default.css" [^] 
/>


This is the probable cause of the breakage
User avatar

~0040633

dregad (developer)

Yes I noticed that after posting.

So the root cause is

1. the html_css() function forces an absolute path by calling string_sanitize_url(xxx, true), which by the way I think is a strange thing to do (it was introduced as a fix for 0010877 - will have to see if we can improve that somehow).

2. the server's config_inc.php has an hardcoded $g_path = 'http://www.mantisbt.org/bugs/'; [^] also not sure of the reason it's defined that way and not relying on default behavior, will need to ask Victor or maybe John.

Anyway the fix is to dynamically set the protocol when initializing $g_path. Should work now.
User avatar

~0040634

dregad (developer)

As a side note, I wonder why Firefox just blocked the CSS and did not give any "mixed content" warning, and also Firebug just silently failed to load the file without reporting anything in the Net panel or the console.
+  Notes

- Issue History
Date Modified Username Field Change
2014-05-21 16:10 doug_stevens New Issue
2014-05-21 18:30 grangeway Note Added: 0040614
2014-05-21 19:05 dregad Note Added: 0040617
2014-05-22 00:54 vboctor Note Added: 0040619
2014-05-22 00:55 vboctor Assigned To => vboctor
2014-05-22 00:55 vboctor Status new => assigned
2014-05-22 19:11 dregad Assigned To vboctor => dregad
2014-05-22 19:14 dregad Note Added: 0040629
2014-05-23 02:48 rombert Note Added: 0040630
2014-05-23 04:26 dregad Note Added: 0040631
2014-05-23 04:33 rombert Note Added: 0040632
2014-05-23 05:00 dregad Note Added: 0040633
2014-05-23 05:01 dregad Note Added: 0040634
+ Issue History