Upgrade to release 2.1.27.8 converts encrypted database password back to clear-text

[jnikolich]

Steps to reproduce

1. Start with working installation of Teampass that had an encrypted database password saved in ./includes/config/settings.php
2. Follow the upgrade process to successfully upgrade to release 2.1.27.8 (commit 775e691).
3. Log into Teampass to confirm successful post-upgrade operation.

Expected behaviour

The database password saved in ./includes/config.settings.php should be in encrypted form.

Actual behaviour

The database password has now been saved back in clear-text form. Examining the pre-upgrade directory confirms that originally the password was saved in encrypted form.

Server configuration

Operating system: Fedora 26 (x86_64)

Web server: Apache 2.4.27

Database: MariaDB 10.1.26

PHP version: 7.1.9

Teampass version: 2.1.27.8 (commit 775e691)

Teampass configuration file:

<?php
global $SETTINGS;
$SETTINGS = array (
    'max_latest_items' => '10',
    'enable_favourites' => '0',
    'show_last_items' => '1',
    'enable_pf_feature' => '0',
    'log_connections' => '0',
    'log_accessed' => '1',
    'time_format' => 'H:i:s',
    'date_format' => 'Y-m-d',
    'duplicate_folder' => '0',
    'item_duplicate_in_same_folder' => '0',
    'duplicate_item' => '0',
    'number_of_used_pw' => '0',
    'manager_edit' => '1',
    'cpassman_dir' => '/opt/teampass/teampass_prod',
    'cpassman_url' => 'https://www.example.com/tp',
    'favicon' => 'https://www.example.com/tp/favicon.ico',
    'path_to_upload_folder' => '/opt/teampass/teampass_prod/upload',
    'url_to_upload_folder' => 'https://www.example.com/tp/upload',
    'path_to_files_folder' => '/opt/teampass/teampass_prod/files',
    'url_to_files_folder' => 'https://www.example.com/tp/files',
    'activate_expiration' => '0',
    'pw_life_duration' => '0',
    'maintenance_mode' => '0',
    'enable_sts' => '1',
    'encryptClientServer' => '1',
    'cpassman_version' => '2.1.27',
    'ldap_mode' => '0',
    'ldap_type' => '0',
    'ldap_suffix' => '0',
    'ldap_domain_dn' => '0',
    'ldap_domain_controler' => '0',
    'ldap_user_attribute' => '0',
    'ldap_ssl' => '0',
    'ldap_tls' => '0',
    'ldap_elusers' => '0',
    'ldap_search_base' => '0',
    'richtext' => '0',
    'allow_print' => '0',
    'roles_allowed_to_print' => '0',
    'show_description' => '0',
    'anyone_can_modify' => '0',
    'anyone_can_modify_bydefault' => '0',
    'nb_bad_authentication' => '0',
    'utf8_enabled' => '1',
    'restricted_to' => '0',
    'restricted_to_roles' => '0',
    'enable_send_email_on_user_login' => '0',
    'enable_user_can_create_folders' => '0',
    'insert_manual_entry_item_history' => '0',
    'enable_kb' => '0',
    'enable_email_notification_on_item_shown' => '0',
    'enable_email_notification_on_user_pw_change' => '0',
    'custom_logo' => '',
    'custom_login_text' => '',
    'default_language' => 'english',
    'send_stats' => '0',
    'send_statistics_items' => '',
    'send_stats_time' => '1502642746',
    'get_tp_info' => '1',
    'send_mail_on_user_login' => '0',
    'nb_items_by_query' => 'auto',
    'enable_delete_after_consultation' => '0',
    'enable_personal_saltkey_cookie' => '0',
    'personal_saltkey_cookie_duration' => '31',
    'email_smtp_server' => '',
    'email_smtp_auth' => '',
    'email_auth_username' => '',
    'email_auth_pwd' => '',
    'email_port' => '',
    'email_security' => '',
    'email_server_url' => '',
    'email_from' => '',
    'email_from_name' => '',
    'pwd_maximum_length' => '40',
    'google_authentication' => '0',
    'delay_item_edition' => '0',
    'allow_import' => '0',
    'proxy_ip' => '',
    'proxy_port' => '',
    'upload_maxfilesize' => '10mb',
    'upload_docext' => 'doc,docx,dotx,xls,xlsx,xltx,rtf,csv,txt,pdf,ppt,pptx,pot,dotx,xltx',
    'upload_imagesext' => 'jpg,jpeg,gif,png',
    'upload_pkgext' => '7z,rar,tar,zip',
    'upload_otherext' => 'sql,xml',
    'upload_imageresize_options' => '1',
    'upload_imageresize_width' => '800',
    'upload_imageresize_height' => '600',
    'upload_imageresize_quality' => '90',
    'use_md5_password_as_salt' => '0',
    'ga_website_name' => 'TeamPass for ChangeMe',
    'api' => '0',
    'subfolder_rights_as_parent' => '0',
    'show_only_accessible_folders' => '0',
    'enable_suggestion' => '0',
    'otv_expiration_period' => '7',
    'default_session_expiration_time' => '60',
    'duo' => '0',
    'enable_server_password_change' => '0',
    'ldap_object_class' => '0',
    'bck_script_path' => '/opt/teampass/teampass_prod/backups',
    'bck_script_filename' => 'bck_teampass',
    'syslog_enable' => '0',
    'syslog_host' => 'localhost',
    'syslog_port' => '514',
    'manager_move_item' => '1',
    'create_item_without_password' => '0',
    'otv_is_enabled' => '0',
    'agses_authentication_enabled' => '0',
    'item_extra_fields' => '1',
    'saltkey_ante_2127' => 'none',
    'migration_to_2127' => 'done',
    'files_with_defuse' => 'done',
    'timezone' => 'America/Toronto',
    'copy_to_clipboard_small_icons' => '1',
    'tree_counters' => '1',
    'teampass_version' => '2.1.27',
    );

Updated from an older Teampass or fresh install: Upgraded from 33cd61c to 775e691

Client configuration

Browser:

Operating system:

Logs

Web server error log

No obvious errors in the httpd logs

[roru69]

Commit: 775e691

Same behaviour in my installation.

Debian Jessie, Mariadb, PHP 7.0

Regards, Roru69

[nilsteampassnet]

How strange ... can I just know the 3 first letters of your pwd?
You can send the answer by email (nils@teampass.net)

[nilsteampassnet]

I found the reason why this could occur and provided a fix.
The release 2.1.27.8 has been updated.

To fix this, copy folder install from new 2.1.27.8 package on your Teampass folder.
Then run install/upgrade.php
This will rebuild the settings.php file

[jnikolich]

Tested the fix by upgrading from commit 775e691 to 2dcba5d. Checked $pass in ./includes/config/settings.php, and confirmed that the DB password has been now saved in encrypted form.

Thanks for the very quick fix. Closing this issue, on the assumption that @roru69 will also find that this fix addresses the issue in his installation.