Mantis bug tracker config file containing MySQL password is world readable!

Bug #386075 reported by Bjørn Forsman on 2009-06-11
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mantis (Debian)
Fix Released
Unknown
mantis (Ubuntu)
Low
Unassigned

Bug Description

I just installed the Mantis bug tracker, version 1.1.6+dfsg-2ubuntu1, in Ubuntu 9.04 amd64 desktop. Inspecting the installed files, I find that the Mantis database config file, /etc/mantis/config_db.php, containg my MySQL database password, is world readable!

$ ls -l /etc/mantis/config_db.php
-rw-r--r-- 1 root root 537 2009-06-11 20:23 /etc/mantis/config_db.php

That is a big security issue! I think the permissions should have been like below (changed group to www-data and disabled read permissions for others):

-rw-r----- 1 root www-data 537 2009-06-11 20:23 /etc/mantis/config_db.php

Searching the Internet reveals a Debian bug entry on the very same issue [1] and it is pointed out that the issue should have been fixed in version 1.0.7+dfsg-1. But I still see the issue here with version 1.1.6+dfsg-2ubuntu1.

[1]: http://<email address hidden>/msg102813.html

Changed in mantis (Ubuntu):
importance: Undecided → Low
status: New → Confirmed
visibility: private → public
Bjørn Forsman (bjorn-forsman) wrote :

My steps were:

$ sudo apt-get install mantis

While setting up Mantis, something went wrong, and dbconfig-common did not manage to create a database for Mantis (maybe user error). So I used dpkg-reconfigure:

$ sudo dpkg-reconfigure mantis

And after that, having a working Mantis install, I noticed the world readable config file.

Micah Gersten (micahg) wrote :

It seems like the patch was added but when the package finally made it into unstable, it was no longer there.

http://packages.debian.org/changelogs/pool/main/m/mantis/mantis_1.1.6+dfsg-2/changelog#versionversion1.0.7_dfsg-1

Changed in mantis (Debian):
status: Unknown → Fix Released
Dario Minnucci (midget) wrote :

The URL you was requesting is incorrect, try this one:

http://packages.debian.org/changelogs/pool/main/m/mantis/current/changelog

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.