Bug #29066 security problem: password in 'config.properties' not encrypted
Submitted: 13 Jun 2007 9:18 Modified: 9 Jul 2007 19:47
Reporter: Carsten Segieth Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Enterprise Monitor: Server Severity:S2 (Serious)
Version:1.2.0.5934 OS:Any
Assigned to: Peter Lavin CPU Architecture:Any
Tags: password, Security

[13 Jun 2007 9:18] Carsten Segieth 
Description:
The password stored in file apache-tomcat/webapps/merlin/config.properties is 'human readable':

#SymmetricKey was auto generated.
#Wed Jun 13 10:41:18 CEST 2007
mysql.basedir=/users/csegieth/merlin/monitoring/1.2.0.5934/qa-srv-b/fresh_120r5934/apache-tomcat/webapps/merlin/mysql
mysql.port=23300
mysql.user=dba_user
close_mysql_on_shutdown=true
mysql.db=merlin
use_connector_mxj=true
mysql.server=localhost
mysql.pass=dba_password
key=428BA581FFC31356
mysql.datadir=/users/csegieth/merlin/monitoring/1.2.0.5934/qa-srv-b/fresh_120r5934/apache-tomcat/webapps/merlin/mysql/data

How to repeat:
install server and check file content

Suggested fix:
crypt the password
[6 Jul 2007 19:26] Gary Whizin 
Please document that this file should be secured (same idea as existing docs re: merlin.xml and the configuration report).
[9 Jul 2007 19:47] Peter Lavin 
Documented that the password in the "config.properties" file is not encrypted.