0023720: Passwords (plaintext) in Mantis configuration file - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0023720	mantisbt	security	public	2017-12-12 17:23	2023-05-23 04:00

Reporter	Mr.Bricodage	Assigned To	dregad
Priority	normal	Severity	feature	Reproducibility	always
Status	resolved	Resolution	not fixable
Product Version	2.9.0

Summary	0023720: Passwords (plaintext) in Mantis configuration file
Description	Hello, password stored in Mantis config file is a security issue, even if file access is well locked (chmod 600, owned by apache process). Example : somebody that had/usurpt root access will see easily information to read/write/delete mysql data on a SQL server where he has no rights. I know that somebody who access the config file containing encrypted password will be able to decrypt the password using Mantis methods. Password encryption is a "border" that force the viewer to know how Mantis works to decrypt. In some situations, that risk avoidance will discourage the exploit or delay it. The question has been asked in 2008 (0005208) and ticket has been answered (not fixable) and closed, but I need a updated answer in 2017 context (salt, ...) : Is it feasible to encrypt or hide passwords in Mantis configuration file ?
Steps To Reproduce	Consult a config_inc.php file is config folder : $g_db_password and $g_smtp_password (if configured) are filled with readable password.
Tags	No tags attached.

vboctor 2017-12-12 20:11 manager ~0058379	A common pattern for this is to use environment variables for secrets that are fetched in config_inc.php. Is there a reason why this doesn't work for you?

Mr.Bricodage 2017-12-13 01:19 reporter ~0058384	Hello Thanks for the feedback. I wasn't aware of this common pattern. I have to check with my operations team to evaluate the solution. Is it documented ? Maybe that a warning could be raised by one step of the admin/check/index page if no environment variable is used to inform that a way exists to secure a bit the installation ?

vboctor 2017-12-13 02:52 manager ~0058385	It is not a common pattern for MantisBT, but it separates passwords from config and gives you control on how you manage them.

Bozz 2018-03-23 12:09 reporter ~0059295	Hi, I need to know how this concepts work as well. Does anyone have a link or reference I can use to learn about it and how to implement this with Mantis ? Thank you.

Mr.Bricodage 2018-03-27 15:50 reporter ~0059324	For the record, this is my feedback about how to configure a apache/debian environment to use environment variable as mantis password storage (thanks @vboctor for the tips) : 1) edit `/etc/environment` (create it if needed) to store your information (the mantis password) `MANTIS_PASSWORD=<MANTIS_DB_PWD>` 2) tell apache to use env vars : in `/etc/apache2/envvars` file, add the following lines `. /etc/environment` `export MANTIS_PASSWORD` 3) restart apache service 4) use env vars in mantis config file `mantis/config/config_inc.php` `$g_db_password = getenv('MANTIS_PASSWORD');` Step 1 has to be adapted regarding your OS.

gkeepa 2023-05-22 15:47 reporter ~0067770	hi, im using windows and iis as os and webserver, just wondering if there are other ways of achieving this? by putting password in /etc/environment, would it still be plain text to people with the right privillege?

dregad 2023-05-23 02:54 developer ~0067771	by putting password in /etc/environment, would it still be plain text to people with the right privillege? Yes

dregad 2023-05-23 04:00 developer ~0067774	The situation in 2017 (or in 2023 for that matter) has not changed. There is no really secure alternative to storing the password in plain-text somewhere. In terms of best practice, file containing sensitive information should be stored outside of web root. Encryption is pointless as it needs to be reversible so it would be security by obscurity.