[#37221] - [4][Security] Remove Unused Credentials from configuration.php on save
- Closed
- 7 Mar 2022
- Medium
- Build: 4.1-dev
- # 37221
- Diff
- PhilETaylor:220306-31719-removecredentials
User tests: Successful: Unsuccessful:
Pull Request for Issue #31719
Summary of Changes
When you change your configuration for example
- When you turn off SMTP with Authentication
- When you change from SMTP with Authentication to another mail provider
- When you turn off your outbound proxy
Joomla RETAINS your credentials in HIDDEN fields in Joomla global configuration and stores them in PLAIN TEXT in /configuration.php - but you don't know this because Joomla hides that fact from you.
A super admin, who has done one of the above actions is rightly assuming Joomla will discard the credentials as the credential input boxes are no longer shown to them.
Plus, why should Joomla retain - in plain text - credentials that it no longer needs to operate. This is an additional security issue should the site be compromised.
Testing Instructions
- Enable SMTP with Authentication (you can fake the SMTP server, user and pass that's ok as Joomla doesnt validate them - doh!) and save Joomla Config. Inspect your configuration.php - see the credentials are there - now go back and switch to sendmail and save - Inspect your configuration.php - see the credentials are still there - now apply the PR and then go and repeat the test - you will see when you inspect configuration.php your secret credentials for SMTP server are no longer stored.
Same with outbound proxy.
Actual result BEFORE applying this Pull Request
Joomla stores forever the credentials of services no longer used, in plain text, in configuration.php
Expected result AFTER applying this Pull Request
Joomla deletes the credentials of services no longer used
Documentation Changes Required
None. Fully backward compatible.
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Administration com_config |
| Labels |
Added:
?
|
||
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/37221.
| Status | Pending | ⇒ | Ready to Commit |
RTC
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/37221.
Are we sure that this is a good idea?
For example I setup smtp and confirm it is working but decide to check and see if sendmail is a better option. I decide it is not and now i have to find the details for smtp again.
This is a destructive change that is made without any notice to the user.
Plain text credentials should not be stored for disabled features. Basic security.
Plain text credentials should not be stored for disabled features. Basic security.
if someone can read that plain text then the smtp details are the least of your problems.
Iām sorry that you do not understand. This PR stands and is valid and correct implementation of basic security principles - for that reason alone it should be merged.
| Labels |
Added:
?
|
||
This is a destructive change that is made without any notice to the user.
Hint. Tell the user before making a destructive change.
Well feel free to make a PR to give a message.
However I do not believe a message is needed and Joomla already makes other changes during save that are not communicated and my expectation as a user would be that my password would not be retained if I disabled the feature.
agree to disagree then. Just like your other pr
No you just love to disagree even when you are simply wrong. Luckily this is not your project and your opinion is only a single voice.
| Status | Ready to Commit | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2022-03-07 18:34:32 |
| Closed_By | ⇒ | PhilETaylor |
I have tested this itemā
successfully on b1d29ba
Tested successfully in 4.1.1-dev of 7 March in Wampserver 3.2.7 with PHP 8.0.15
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/37221.