View Issue Details

IDProjectCategoryView StatusLast Update
0025380mantisbtsecuritypublic2019-01-23 21:15
Reporterjamespharvey20 Assigned To 
PriorityhighSeveritymajorReproducibilityalways
Status newResolutionopen 
Product Version2.19.0 
Summary0025380: Should warn if config is globally readable
Description

It's great that Mantis warns if the admin directory is left around.

Likewise, I think it would be great if Mantis warned if at least its config_inc.php was world readable, possibly other _inc.php files, but I haven't learned what those are for yet.

It contains passwords for the database, likely smtp, and the salt.

Of course, a distribution's package can set ownership and permissions properly. But, it would be a nice double check for Mantis to do this in case a distribution doesn't do this. (Mine didn't, but I've reported that.) It would also be good for people manually installing who don't get the benefit of their distribution potentially doing this, or if someone inadvertently changes permissions.

TagsNo tags attached.

Activities

There are no notes attached to this issue.