Password stored as plain text

Question

Password stored as plain text

TylerMiller-TomTom opened this issue 4 years ago · 2 comments

TylerMiller-TomTom commented 4 years ago

Originally posted at matomo-org/matomo#15768

I am using image matomo:3-apache pulled after the latest update of that image 8 hours ago as of this posting.

I exec into the container and log the contents of the config.ini.php to find the superuser password stored in plain text in the config file.

This is a fairly major security concern for us, as we plan to deploy under Kubernetes and we have users with access to Kubernetes, where this effectively gives them access to the superuser account.

Answer 1 · 2020-04-08T01:24:30.000Z

I exec into the container and log the contents of the config.ini.php to find the superuser password stored in plain text in the config file.

Where is the superuser password stored? in Matomo, no password would be stored in the config file, except the "Database password" which we have no choice but store it there. (best practise is that DB server is not accessible from the internet).

Answer 2 · 2020-04-08T01:26:02.000Z

there is no security issue. it's being discussed further in matomo-org/matomo#15768