Security vulnerability

Product Support Mautic 4 Install/Upgrade Support
, ,
1

Hi everyone,

Is there a security vulnerability with Mautic? The local PHP file contains both my username and password and is located in a public HTML folder. You can find the Mautic root path here: app/config/local.php.

If so, what security procedures do you recommend, such as 2FA, plugin, etc.?"

Regards,
Hal
DevCEd Team

2

You need to store it somewhere.
And that is not your username, but DB, and SMTP credentials.
The .htaccess file should make sure the unwanted files are not accessable.

2 Likes
3

Additionally you can store such data in env. variables on the server. This is just addition to what joejk have said.

Implementing this alone is not enough.

2 Likes
4

Hi,

Can we bundle Google Firebase Authenticator with Mautic:

(1) Firebase Authentication

(2) How to Build Firebase Multifactor Authentication

Regards,
Hal
DevCED Team

5

Looks like we have symfony bundle for firebase: GitHub - kreait/firebase-bundle: A Symfony Bundle for the Firebase PHP Admin SDK

If we want to use the actively developed bundle, we have to wait until Mautic 5, it looks like it.

1 Like
6

What is the difference between symfony bundle for firebase and the following:

To add Firebase Authentication OAuth 2.0 credential to Mautic 4.0, you can follow these steps:

  1. Log in to your Firebase account and go to the “Project settings” page for your project with ID “gmail-mail-xxxx”.
  2. Click on the “Service accounts” tab and then click on the “Generate new private key” button to download a JSON file containing your private key.
  3. Copy the contents of the JSON file to your clipboard.
  4. SSH into your Mautic server and navigate to the app/config directory.
  5. Create a new file called firebase_credentials.json in the app/config directory and paste the contents of the JSON file into the new file.
  6. In the Mautic dashboard, go to the “Plugins” section and click on the “Social” tab.
  7. Click on the “Add new” button and select “Google” as the provider.
  8. Enter a name for the provider and select “OAuth 2.0” as the authentication type.
  9. In the “Client ID” field, enter the value of the “client_id” field from the JSON file.
  10. In the “Client secret” field, enter the value of the “private_key” field from the JSON file.
  11. In the “Scopes” field, enter “email” and “profile”.
  12. Click on the “Save & Close” button to save the provider.

Once you have completed these steps, you should be able to use Firebase Authentication OAuth 2.0 to authenticate users in Mautic 4.0.

Regards,
Hal
DevCED Team

7

I did not use firebase so far, so I am not sure.

What is meant by that? Do not understand this instruction.

Regards, M.

8

@team this is getting confusing. As @joeyk pointed out, the password in app/config/local.php file is not your user password but a database password.

It’s safer to store it in a PHP file than any .env, yaml, json or other text format because if you run Mautic, the idea is that PHP files are executables and if someone access the file then it will execute rather than print out its content.

And as pointed out already, there is .htaccess that will secure it for Apache.

Then you are suggesting Firebase authentication. That is for user authentication, not database authentication.

Users have passwords stored in the database. The password is encrypted by standard algorithms, using salt and all that. They are as secure as they can be. If you want to use another provider for authentication then go ahead, but I fear that you will be confusing others when you discuss it on a forum topic called “Security vulnerability”. It’s unrelated.

3 Likes