Recent changes to 12: Avoid cleartext passwords in config.php

#12 Avoid cleartext passwords in config.php

Marcin Kucharczyk — Sun, 24 Apr 2016 20:43:31 -0000

I solved the problem protecting the phpvirtualbox folder with .htaccess/.htpasswd and making a small modification of config.php:

% diff config.php.sample config.php
8a9
>
12,13c13,20
< var $username = 'vbox';
< var $password = 'pass';
---
> var $username = '';
> var $password = '';
>
> public function __construct()
> {
>   $this->username = $_SERVER["PHP_AUTH_USER"];
>   $this->password = $_SERVER["PHP_AUTH_PW"];
> }

Now before login to phpVirtualBox I must login to apache, and next my login data are used for authentication to VBoxManage. The password in .htpasswd is encrypted.

BTW: Whe the login data of phpVirtualBox are not used to login to virtual machines? In multiuser system, when users have own virtual machines it will enable control only of their machines after login.

#12 Avoid cleartext passwords in config.php

Ian Moore — Mon, 07 Dec 2015 03:11:22 -0000

Here's the thing - if phpvirtualbox required a password encrypted with some key, it would still have to decrypt it before it sends it to vboxwebsrv which requires a plain text password. If it needs to decrypt it, it would need to store the key and any attacker with access to your system could easily decrypt it. It would be so easy to decrypt that there would just be no point. And many PHP applications do this for passwords. It is a false sense of security. Though I guess I could move in that route to make people feel better (falsly).

The way I run all my servers is I dIsable authentication in vboxwebsrv and remove the password from config.php.

I'll look again into if vboxauthsimple could be used. It does sound promising.

#12 Avoid cleartext passwords in config.php

Tim K — Thu, 19 Nov 2015 02:12:28 -0000

The http://xqus.com/blog/phpvirtbox-vboxauthsimple link is no longer available and phpvirtualbox is now at version 5.0-X. Still appears to require the password to be hardcoded into the config.php. Anyone have a way to NOT include the password in clear text of the config.php?

#12 Avoid cleartext passwords in config.php

Christoph Lechleitner — Sat, 01 Feb 2014 17:55:21 -0000

Thanks for that proposal and link.

That approach sounds even better - if we trust VirtualBox not to drop VBoxAuthSimple.

Anyway it'd be great to see that integrated into the phpvirtualbox upstream.

#12 Avoid cleartext passwords in config.php

Audun Larsen — Sat, 01 Feb 2014 17:42:47 -0000

Hi,

This could be to some help: http://xqus.com/blog/phpvirtbox-vboxauthsimple

#12 Avoid cleartext passwords in config.php

Christoph Lechleitner — Sun, 15 Dec 2013 16:26:20 -0000

A recently pubishled (generally positive) review in the German IT magazine iX (issue 12/2013, page 144), also mentioned poor authentication system as most important weakness of phpvirtualbox.

I think a lot of people would like to see a major enhancement here.

Actually, I'd expect Oracle to put some efforts (say, money for 1-2 full time developers) in this. They don't offer any Web UI on their own but point to phpvirtualbox, too. Unfortunately they are well known for really poor handling of security problems.

Avoid cleartext passwords in config.php

Christoph Lechleitner — Sun, 15 Dec 2013 16:23:39 -0000

As described in https://code.google.com/p/phpvirtualbox/issues/detail?id=445 back at Google's Bugtracker used prior to the sourceforge transition, the fact that the password of the webservice user has to put in the config.php as clear text is "not a good idea", to say it polite.

Also described there is a way to get rid of the clear text password using 4 additional lines for ajax.php, changing 1 line in virtualboxconnector.php, and a few special steps.