Closed Bug 147813 Opened 22 years ago Closed 22 years ago

Any Windows/IIS installation automatically reveals the db password

Categories

(Bugzilla :: Documentation, enhancement, P1)

Product:
Bugzilla
Component:
Documentation
Version:
2.17
Platform:
x86
Windows NT
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.18

People

(Reporter: jouni, Assigned: jacob)

References

Details

Ooph. I just realized that any installation running on Win32/IIS automatically
reveals the db password to anyone who asks it using a browser, since localconfig
is by no means protected (IIS doesn't do .htaccess). Actually, I think the same
goes for any other web server without htaccess support, too. 

Good ideas, anyone? I think this could be acceptable if we did warn the user
about this somewhere (checksetup.pl?), but to avoid annoying the Apache masses
we should somehow be able to detect the web server used... Which sounds
nigh-impossible to do. A documentation note?
I'm pretty sure this is in the docs.  Yep:

http://www.bugzilla.org/docs216/html/security.html   5.6.5
http://www.bugzilla.org/docs/html/security.html   4.4.5

It's also in the release notes, right near the top. (5th paragraph under
"recommended practice for the upgrade")

http://www.bugzilla.org/docs216/rel_notes.txt
http://www.bugzilla.org/docs/rel_notes.txt

I think since this is already noted in the docs and in the release notes, that
makes this WORKSFORME unless someone comes up with a way for us to set IIS's
ACLs from checksetup.pl...  :-)
I stand corrected. The documentation thing sucks but does the job, and I don't
have a better proposal at hand. But despite the fact that mistake was mine, what
can we learn from this? 

When I first installed Bugzilla on Win32, I _did_ read through the manual. Not
all the sections, but security certainly was one of those I did read. I
apparently missed the documentation note because it was a small paragraph buried
in a load of stuff that didn't apply to me. I _did_ see the release note, but
seeing that it only referred to documents I read earlier, I must've somehow
skipped it again.

Even in the 2.16 docs, this security issue doesn't have visibility in proportion
to its importance. I mean, hey, the security section starts by talking about
MySQL versions and removing inetd:s - issues that can be covered by proper
firewalling etc. Something this important should not be buried below generic
unix securing measures.


I agree with justdave that this is WORKSFORME as it is. Unless somebody objects,
I'll morph this into a 2.18 documentation RFE.
Well.

There isn't any reason that the data dir (into which localconfig really belongs)
has to be readable from the web at all. The webdot stuff is it, really, and that
can (And probably should) go somewhere else anyway.

We should move the db stuff into params, and then have localconfig give us the
path to the datadirectory.
Yeah, but there's already another bug for that (moving the localconfig params
around).  If there isn't, there should be.  Seems like that's been discussed in
one of the Makefile bugs at least if not on its own somewhere.
Group: webtools-security?
Severity: normal → enhancement
Component: Bugzilla-General → Documentation
Priority: -- → P1
Target Milestone: --- → Bugzilla 2.18
In the meantime, the short-term fix is to make sure installation instructions
for UNIX and Win32 are self-contained.  We risk data duplication with this
setup, but I can simply make the sections that bear repeating (platform-agnostic
security information) a macro and invoke them from the appropriate sections.

Thanks for the bug submission.  The layout of those installation sections
(particularly, the huge errata section) has been bugging me for a while.  This
is a good excuse to clean it up.
Status: NEW → ASSIGNED
The security page has been revised quite heavily.  About half the page now talks
about restricting access to file such as localconfig and data/.  It also
contains the Apache specific .htaccess we use in checksetup.pl, but with a not
that you should do similar with whatever your webserver is.
Depends on: 191034
-> jake
Assignee: justdave → jake
Status: ASSIGNED → NEW
The security section has changed again... now it has a specific list of what
should not be accessable. It also has links to the webserver specific section,
but that section does not contain instructions for configuring IIS (because none
have been submitted).
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.