Bug#425010: mantis: Config file with CLEAR PASSWORD is world-wide readable!!

Fri, 18 May 2007 06:35:37 -0700 

Package: mantis
Version: 1.0.6+dfsg-4.1
Severity: grave

After an upgrade of Mantis, the config file /etc/mantis/config_db.php
is world-wide readable and contains the clear password of my SQL
database!!!

Please urgently fix this as it creates a very big security hole.

The previous versions of Mantis was smarter:

  -rw-r-----  1 root www-data 1887 2007-05-18 11:27 config.php
         ^^^         ^^^^^^^^

I've 'chgrp www-data' and 'chmod 640' the new file
/etc/mantis/config_db.php and it's working.

Thanks.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.20-1-vserver-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages mantis depends on:
ii  apache                      1.3.34-4.1   versatile, high-performance HTTP s
ii  apache2                     2.2.3-4      Next generation, scalable, extenda
ii  apache2-mpm-prefork [apache 2.2.3-4+b1   Traditional model for Apache HTTPD
ii  dbconfig-common             1.8.33       common framework for packaging dat
ii  debconf                     1.5.13       Debian configuration management sy
ii  libapache2-mod-php5         5.2.2-1+b1   server-side, HTML-embedded scripti
ii  libphp-adodb                4.94-1       The 'adodb' database abstraction l
ii  libphp-phpmailer            1.73-3       full featured email transfer class
ii  php4-cli                    6:4.4.6-2+b1 command-line interpreter for the p
ii  php4-mysql                  6:4.4.6-2+b1 MySQL module for php4
ii  php5-cli                    5.2.2-1+b1   command-line interpreter for the p
ii  php5-mysql                  5.2.2-1+b1   MySQL module for php5

mantis recommends no packages.

-- debconf information:
  mantis/dbconfig-reinstall: false
* mantis/dbconfig-install: true
* mantis/remote/newhost: localhost
  mantis/title: Mantis
* mantis/url: http://localhost/mantis/
  mantis/upgrade-backup: true
  mantis/internal/skip-preseed: false
  mantis/install-error: abort
  mantis/internal/reconfiguring: false
  mantis/dbconfig-remove:
* mantis/bounce: [EMAIL PROTECTED]
* mantis/db_autoupdate: true
* mantis/ldap: false
  mantis/ldap_server: localhost
  mantis/version:
  mantis/from: [EMAIL PROTECTED]
  mantis/show_version: true
  mantis/root_mysql: root
  mantis/passwords-do-not-match:
  mantis/signup: true
* mantis/admin: [EMAIL PROTECTED]
* mantis/mysql/admin-user: root
* mantis/remote/port:
* mantis/username: mantis
  mantis/purge: false
* mantis/webmaster: [EMAIL PROTECTED]
* mantis/dbconfig-upgrade: false
  mantis/remove-error: abort
* mantis/remote/host: localhost
* mantis/purge_db: true
* mantis/db/app-user: mantis
* mantis/mysql/method: tcp/ip
  mantis/dn: dn=
  mantis/mysql_port: 3306
* mantis/webserver: apache
* mantis/db/dbname: bugtracker
* mantis/database-type: mysql
  mantis/upgrade-error: abort
* mantis/app_configure: true
  mantis/language: english
* mantis/mysql_server: localhost
* mantis/database: bugtracker
  mantis/organisation:
-- 
 ,''`.
: :' :      Cyril Bouthors
`. `'         Debian.org
  `-

Attachment: pgpIkWrPgwqVU.pgp
Description: PGP signature

Reply via email to