Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor
  • Default (No Skin)
  • No Skin
Collapse

Cloudron Forum
Apps | Demo | Docs | Install

Dolibarr is unable to encrypt the database password as recommended

Scheduled Pinned Locked Moved Solved Dolibarr
3 Posts 2 Posters 446 Views
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • JOduMonTJ Offline
    JOduMonTJ Offline
    JOduMonT
    wrote on last edited by
    #1

    In the dolibarr dashboard, under Setup -> Security -> Password

    at the bottom of the page, under Parameters
    if I activate the Encrypt database password stored in php.INI, which is strongly recommended to activate this option
    Dolibarr stop working.

    My impression is Dolibarr don't have access or the right to write into the php.ini file.

    1 Reply Last reply
    0
  • JOduMonTJ JOduMonT marked this topic as a question on
  • nebulonN Online
    nebulonN Online
    nebulon Staff
    replied to JOduMonT on last edited by
    #0

    @JOduMonT thanks for the info and research. The encrypted password handling in dolibarr as described does not make too much sense for us, since the password might change during package update, depending on the database addon thus it always have to be fetched freshly. Further it will always be present in the app's environment as injected into the container.

    For phpinfo() I am not sure how this is an attack angle, since if one is able to inject php code to run phpinfo() the attacker might as well just simply dump the env variables manually.

    1 Reply Last reply
    1
  • JOduMonTJ Offline
    JOduMonTJ Offline
    JOduMonT
    wrote on last edited by
    #2

    I found this info

    1. The password is encrypted. We extend the PDO class to include logic for decrypting the password. If someone reads the code where we establish a connection, it won’t be obvious that the connection is being established with an encrypted password and not the password itself.
    2. The encrypted password is moved from the global variables into a private variable The application does this immediately to reduce the window that the value is available in the global space.
    3. phpinfo() is disabled. PHPInfo is an easy target to get an overview of everything, including environment variables.

    So how to

    • disable phpinfo to not being able to overview the variables
    • pass the password as a private variable
    nebulonN 1 Reply Last reply
    0
  • JOduMonTJ JOduMonT referenced this topic on
  • nebulonN Online
    nebulonN Online
    nebulon Staff
    replied to JOduMonT on last edited by
    #3

    @JOduMonT thanks for the info and research. The encrypted password handling in dolibarr as described does not make too much sense for us, since the password might change during package update, depending on the database addon thus it always have to be fetched freshly. Further it will always be present in the app's environment as injected into the container.

    For phpinfo() I am not sure how this is an attack angle, since if one is able to inject php code to run phpinfo() the attacker might as well just simply dump the env variables manually.

    1 Reply Last reply
    1
  • JOduMonTJ JOduMonT has marked this topic as solved on

  • Login
  • Don't have an account? Register
  • Login or register to search.
  • First post
    Last post
0
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks