Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion

osTicket v1.10 (stable) and Maintenance Release v1.9.15 are now available! Go get it now

mysql db password stored in plaintext (workaround: store mysql password externally)

I have noticed that osticket stores its database password in the ost-config.php file in plaintext; it would make me feel a lot better if it was encrypted.

There's a good workaround on the MediaWiki site on how to move sensitive data outside of the public HTML dir, I haven't tried it yet but I think it will work for OSTicket too: https://www.mediawiki.org/wiki/Manual:Securing_database_passwords

I'm wondering what the osticket devs have to say? Is it really considered secure to rely on user/group permissions to protect this data?

Comments

  • Last I checked... WordPress, Drupal, Joomla, and many other products all do that same.  But I will pass along your concern to them.
  • I mean this is something we can look into in the future but as @ntozier said, all the major softwares do this. If you protect your server correctly stealing the db password will never be an issue. :)

    Cheers.
  • You're right, a lot of PHP apps do this. Thanks guys, I guess proper security permissions wins at the end of the day.
  • @JDeTeves No problem my dude. If you have any other questions or concerns feel free to post them! Cheers.
Sign In or Register to comment.