View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0014087 | mantisbt | installation | public | 2012-03-26 01:15 | 2015-06-03 04:27 |
Reporter | vboctor | Assigned To | vboctor | ||
Priority | normal | Severity | crash | Reproducibility | have not tried |
Status | closed | Resolution | fixed | ||
Product Version | 1.3.0dev | ||||
Target Version | 1.3.0-beta.1 | ||||
Summary | 0014087: Installation script doesn't set the crypto_master_salt causing errors | ||||
Description | Currently, after installation gets the error below APPLICATION ERROR #2900 | ||||
Tags | No tags attached. | ||||
Advised solution: use the API within crypto_api.php to generate a secure nonce that is saved into $g_crypto_master_salt during installation. |
|
I've reimplemented this fix using a correct/secure method via the new crypto_api functions. md5(time) is not at all random and severely reduces MantisBT's level of security. Are you able to test this new implementation to ensure it works as intended? |
|
Does your new implementation works if the crypto api is unable to generate a secure salt? When I checked it out before, it seemed that it will not work in a WIndows environment. |
|
vboctor is correct. On Windows XAMPP, the Mantis installation left me without a $g_crypto_master_salt entry in the config_inc.php file. I had to manually add this entry. |
|
Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch |
|
MantisBT: master 3f0f3799 2012-05-05 16:50 Details Diff |
Fixes 0014087: Installation script doesn't set the crypto_master_salt causing errors. |
Affected Issues 0014087 |
|
mod - admin/install.php | Diff File | ||
MantisBT: master caf21ad4 2012-05-05 19:38 Details Diff |
Fix 0014087: Installation: create a cryptographically secure master salt Commit 3f0f3799e65d8cc8752ac8d5dd27cbaceaaf1ec4 automatically generated a value for $g_crypto_master_salt during installation based on a very weak mechanism -- an MD5 hash of the current server time. This commit correctly generates a 256bit cryptographically secure salt instead, based on a much stronger source of randomness such as OpenSSL's PRNG or /dev/urandom on Linux systems. When a secure salt cannot be generated the user will need to manually define $g_crypto_master_salt post installation. Carriage return characters have also been removed from the default generated config_inc.php file. These characters are redundant and do not match the line termination standard used throughout MantisBT's code base. |
Affected Issues 0014087 |
|
mod - admin/install.php | Diff File | ||
MantisBT: master a917bd61 2012-05-05 20:35 Details Diff |
Fix 0014087: Safely base64_encode $g_crypto_master_salt Commit caf21ad4f13bff4190317750343ea2d445242467 tried to write a raw binary string directly to the configuration file. The randomly generated master salt needs to be base64 encoded prior to being written to the configuration file. |
Affected Issues 0014087 |
|
mod - admin/install.php | Diff File |