Mantis bug tracker config file containing MySQL password is world readable!
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| mantis (Debian) |
Fix Released
|
Unknown
|
|||
| mantis (Ubuntu) |
Confirmed
|
Low
|
Unassigned | ||
Bug Description
I just installed the Mantis bug tracker, version 1.1.6+dfsg-
$ ls -l /etc/mantis/
-rw-r--r-- 1 root root 537 2009-06-11 20:23 /etc/mantis/
That is a big security issue! I think the permissions should have been like below (changed group to www-data and disabled read permissions for others):
-rw-r----- 1 root www-data 537 2009-06-11 20:23 /etc/mantis/
Searching the Internet reveals a Debian bug entry on the very same issue [1] and it is pointed out that the issue should have been fixed in version 1.0.7+dfsg-1. But I still see the issue here with version 1.1.6+dfsg-
[1]: http://<email address hidden>
| Changed in mantis (Ubuntu): | |
| importance: | Undecided → Low |
| status: | New → Confirmed |
| visibility: | private → public |
| Bjørn Forsman (bjorn-forsman) wrote | #1 |
| Micah Gersten (micahg) wrote | #2 |
| Changed in mantis (Debian): | |
| status: | Unknown → Fix Released |
| Dario Minnucci (midget) wrote | #3 |
My steps were:
$ sudo apt-get install mantis
While setting up Mantis, something went wrong, and dbconfig-common did not manage to create a database for Mantis (maybe user error). So I used dpkg-reconfigure:
$ sudo dpkg-reconfigure mantis
And after that, having a working Mantis install, I noticed the world readable config file.