Last modified: 2011-04-30 01:21:37 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T21472, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 19472 - user passwords are visible in plaintext in LocalSettings.php
user passwords are visible in plaintext in LocalSettings.php
Status: RESOLVED INVALID
Product: MediaWiki
Classification: Unclassified
User login and signup (Other open bugs)
1.15.x
All Linux
: Normal normal (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-07-02 06:23 UTC by Rahul
Modified: 2011-04-30 01:21 UTC (History)
2 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Rahul 2009-07-02 06:23:22 UTC 
The user passwords are seen in plaintext in the LocalSettings.php file under the variable "$wgDBpassword".

Shouldn't these be hashed or encrypted? Under Linux it is rare to have the passwords stored unencrypted. Isn't this insecure? What if the users are using the same passwords anywhere else?
Comment 1 Rahul 2009-07-02 06:24:55 UTC 
I know that the permissions on LocalSettings.php are supposed to be pretty restrictive yet I feel having the plaintext passwords hanging around is insecure and unnecessary. The fix could be a simple hash comparison (unless I am missing some php limitation)
Comment 2 Tim Starling 2009-07-02 06:28:01 UTC 
The password needs to be delivered to MySQL in plain text, so MediaWiki needs to store it in plain text. This is true of any web application.
Comment 3 Rahul 2009-07-02 06:32:46 UTC 
Any other workarounds? I haven't any experience with web-apps so did not realize that this was standard. Sorry! I just felt it was insecure to leave passwords lying around in plaintext. Oh, BTW maybe I confuse this issue: Since you mention mysql does that mean that this plaintext pw is only the master pw for the mysql database? 

Will all the other user assigned passwords not be in plaintext? That I could live with then!
Comment 4 Tim Starling 2009-07-02 07:58:33 UTC 
(In reply to comment #3)
> Any other workarounds? I haven't any experience with web-apps so did not
> realize that this was standard. Sorry! I just felt it was insecure to leave
> passwords lying around in plaintext. Oh, BTW maybe I confuse this issue: Since
> you mention mysql does that mean that this plaintext pw is only the master pw
> for the mysql database? 
> 
> Will all the other user assigned passwords not be in plaintext? That I could
> live with then!

Yes it's only the password for the web server to connect to the database. It is not a password for a human, you do not need to remember it or record it anywhere other than LocalSettings.php, so you can set it to a long random string of characters not used anywhere else. Connections are typically limited by hostname so the effect of a compromise is limited. User passwords are stored in the database and are hashed with a double-round MD5 and a random salt.
Comment 5 Dan Jacobson 2009-07-04 00:30:19 UTC 
Actually all along I've wanted to share my LocalSettings.php on the
net directly so everybody could see the whizbang techniques I use.

OK, I could probably include() a separate file that contained the
secrets like passwords and $wgSpamRegex at little extra overhead...
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links