#12 Avoid cleartext passwords in config.php

[Christoph Lechleitner]

As described in https://code.google.com/p/phpvirtualbox/issues/detail?id=445 back at Google's Bugtracker used prior to the sourceforge transition, the fact that the password of the webservice user has to put in the config.php as clear text is "not a good idea", to say it polite.

Also described there is a way to get rid of the clear text password using 4 additional lines for ajax.php, changing 1 line in virtualboxconnector.php, and a few special steps.

[Christoph Lechleitner]

A recently pubishled (generally positive) review in the German IT magazine iX (issue 12/2013, page 144), also mentioned poor authentication system as most important weakness of phpvirtualbox.

I think a lot of people would like to see a major enhancement here.

Actually, I'd expect Oracle to put some efforts (say, money for 1-2 full time developers) in this. They don't offer any Web UI on their own but point to phpvirtualbox, too. Unfortunately they are well known for really poor handling of security problems.

[Audun Larsen]

Hi,

This could be to some help: http://xqus.com/blog/phpvirtbox-vboxauthsimple

[Christoph Lechleitner]

Thanks for that proposal and link.

That approach sounds even better - if we trust VirtualBox not to drop VBoxAuthSimple.

Anyway it'd be great to see that integrated into the phpvirtualbox upstream.

[Tim K]

The http://xqus.com/blog/phpvirtbox-vboxauthsimple link is no longer available and phpvirtualbox is now at version 5.0-X. Still appears to require the password to be hardcoded into the config.php. Anyone have a way to NOT include the password in clear text of the config.php?

[Ian Moore]

Here's the thing - if phpvirtualbox required a password encrypted with some key, it would still have to decrypt it before it sends it to vboxwebsrv which requires a plain text password. If it needs to decrypt it, it would need to store the key and any attacker with access to your system could easily decrypt it. It would be so easy to decrypt that there would just be no point. And many PHP applications do this for passwords. It is a false sense of security. Though I guess I could move in that route to make people feel better (falsly).

The way I run all my servers is I dIsable authentication in vboxwebsrv and remove the password from config.php.

I'll look again into if vboxauthsimple could be used. It does sound promising.

[Marcin Kucharczyk]

I solved the problem protecting the phpvirtualbox folder with .htaccess/.htpasswd and making a small modification of config.php:

% diff config.php.sample config.php
8a9
>
12,13c13,20
< var $username = 'vbox';
< var $password = 'pass';
---
> var $username = '';
> var $password = '';
>
> public function __construct()
> {
>   $this->username = $_SERVER["PHP_AUTH_USER"];
>   $this->password = $_SERVER["PHP_AUTH_PW"];
> }

Now before login to phpVirtualBox I must login to apache, and next my login data are used for authentication to VBoxManage. The password in .htpasswd is encrypted.

BTW: Why the login data of phpVirtualBox are not used to login to virtual machines? In multiuser system, when users have own virtual machines it will enable control only of their machines after login.