View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0012957 | mantisbt | ldap | public | 2011-04-21 12:16 | 2023-02-27 05:22 |
Reporter | scmme | Assigned To | dregad | ||
Priority | high | Severity | tweak | Reproducibility | have not tried |
Status | assigned | Resolution | open | ||
Product Version | 1.2.5 | ||||
Summary | 0012957: Password stored md5-unsalted in database when LDAP authentication is enabled | ||||
Description | When LDAP authentication is enabled the password field in the database will automatically update upon login. This is helpful for systems where the authentication system may be migrated from LDAP to local, but is unnecessary in environments where LDAP is a strict requirement. It exposes additional information in an insecure manner (md5 + no salt). This behavior should be at least configurable if not stored in a more secure manner. | ||||
Steps To Reproduce |
| ||||
Additional Information | Minor patch would be to: Document new variable and set it in configuration. | ||||
Tags | patch | ||||
related to | 0015721 | closed | grangeway | Functionality to consider porting to master-2.0.x |
related to | 0022839 | assigned | dregad | Deprecate MD5 login method and replace with BCRYPT hash |
has duplicate | 0019393 | closed | atrol | Config-Parameter for LDAP password saving |
has duplicate | 0026626 | closed | atrol | Add config option to not cache (insecure MD5) password hashes in the database |
related to | 0022156 | closed | atrol | Password are stored in PLAIN TEXT |
related to | 0025771 | closed | dregad | LDAP not update password |
related to | 0029861 | closed | dregad | LDAPS - no new users possible & password in cleartext |
This issue also occurs when a user is created. |
|
The version of the ldap api in our next branch [which supports multiple servers] doesn't store the password locally. Storing an LDAP password locally is really a security risk IMO. |
|
Reopened, there is no "Fixed in Version" and we will have no "Roadmap" and "Changelog". There is no patch / changeset attached which will confuse any user who has a look at this issue. |
|
this is fixed in the mantis-2.x branch |
|
Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch |
|
Noticed this bug the hard way and bug is still existing in 1.2.19, is this planned to be fixed? Think "select md5('XX');" is quite simple today to crack with hashcat.net and some decent graphic card |
|
I agree this is an issue, and it will get fixed eventually, but TBH it's not very high on my radar at the moment. If you're able and willing to contribute a patch, it would be more than welcome. The best would be a pull request on Github, or alternatively a unified diff. |
|
One more PR https://github.com/mantisbt/mantisbt/pull/713 |
|
Latest PR for it https://github.com/mantisbt/mantisbt/pull/718 |
|
Folks: this is a security issue. I seriously don't understand why it can't be fixed. It's not like there aren't any suitable patches, pull requests (the latest being https://github.com/mantisbt/mantisbt/pull/718) and the like. What is required to get the proper attention for this? |
|
Seems related to: https://mantisbt.org/bugs/view.php?id=22839 |
|
@atrol @dregad @vboctor what is needed to finally fix either this (0012957) or 0022839? Do any of you accept money to work on such things? How many man-hours would it take, and what is your hourly rate? |
|
I'm using the currently suggested patch on GitHub, I'd be thrilled if an updated version of the code could be merged as I have to maintain a local patch. Could I assist with this somehow? |
|
@yosh As is always the case with open source projects, everyone lacks time, money, code reviewers, and testing bandwidth. So you've been using the patch and it works? The patch still applies cleanly on master? If so, I could apply it to my staging environment and test also... |
|
I don't think the patch applies cleanly anymore, I believe I had to shuffle some lines/functions around last time. I've been using it without complaints for a long time. I'll try to open a PR based on it when I do my next upgrade. |
|