0014087: Installation script doesn't set the crypto_master_salt causing errors - MantisBT - Signup temporarily disabled due to spam

ID	Project	Category	View Status	Date Submitted	Last Update

0014087	mantisbt	installation	public	2012-03-26 01:15	2015-06-03 04:27

Reporter	vboctor	Assigned To	vboctor
Priority	normal	Severity	crash	Reproducibility	have not tried
Status	closed	Resolution	fixed
Product Version	1.3.0dev
Target Version	1.3.0-beta.1

Summary	0014087: Installation script doesn't set the crypto_master_salt causing errors
Description	Currently, after installation gets the error below APPLICATION ERROR #2900 For security reasons MantisBT will not operate when $g_crypto_master_salt is not specified correctly in config_inc.php. Please use the "Back" button in your web browser to return to the previous page. There you can correct whatever problems were identified in this error or select another action. You can also click an option from the menu bar to go directly to a new section.
Tags	No tags attached.

dhx 2012-03-31 08:32 reporter ~0031583	Advised solution: use the API within crypto_api.php to generate a secure nonce that is saved into $g_crypto_master_salt during installation.

dhx 2012-05-06 02:48 reporter ~0031766	I've reimplemented this fix using a correct/secure method via the new crypto_api functions. md5(time) is not at all random and severely reduces MantisBT's level of security. Are you able to test this new implementation to ensure it works as intended?

vboctor 2012-05-06 05:09 manager ~0031767	Does your new implementation works if the crypto api is unable to generate a secure salt? When I checked it out before, it seemed that it will not work in a WIndows environment.

M.C.S. 2012-10-26 02:11 reporter ~0033310 Last edited: 2012-10-26 03:18	vboctor is correct. On Windows XAMPP, the Mantis installation left me without a $g_crypto_master_salt entry in the config_inc.php file. I had to manually add this entry.

grangeway 2013-04-05 17:56 reporter ~0036216	Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

MantisBT: master 3f0f3799 2012-05-05 16:50 vboctor Details Diff	Fixes 0014087: Installation script doesn't set the crypto_master_salt causing errors.		Affected Issues 0014087
	mod - admin/install.php		Diff File
MantisBT: master caf21ad4 2012-05-05 19:38 dhx Details Diff	Fix 0014087: Installation: create a cryptographically secure master salt Commit 3f0f3799e65d8cc8752ac8d5dd27cbaceaaf1ec4 automatically generated a value for $g_crypto_master_salt during installation based on a very weak mechanism -- an MD5 hash of the current server time. This commit correctly generates a 256bit cryptographically secure salt instead, based on a much stronger source of randomness such as OpenSSL's PRNG or /dev/urandom on Linux systems. When a secure salt cannot be generated the user will need to manually define $g_crypto_master_salt post installation. Carriage return characters have also been removed from the default generated config_inc.php file. These characters are redundant and do not match the line termination standard used throughout MantisBT's code base.		Affected Issues 0014087
	mod - admin/install.php		Diff File
MantisBT: master a917bd61 2012-05-05 20:35 dhx Details Diff	Fix 0014087: Safely base64_encode $g_crypto_master_salt Commit caf21ad4f13bff4190317750343ea2d445242467 tried to write a raw binary string directly to the configuration file. The randomly generated master salt needs to be base64 encoded prior to being written to the configuration file.		Affected Issues 0014087
	mod - admin/install.php		Diff File