Mysql – mantis new user registration without email

mantisMySQL

Mantis needs the new user to click on a link received in a mail. As per company policy, the sendmail (or any other) application can not be active on server. How do I allow users to register without a valid e-mail?

Is there anyway I can run an update query and change the password directly in the database and hand it over to the user?

Best Answer

Create the user normally via http://path/to/mantis/manage_user_create_page.php (using an existing admin account)
Open a command prompt and log into MySQL (mysql -u root -p)
use bugtracker; (where bugtracker is the name of the mantis bd; default = bugtracker)
update mantis_user_table set password=md5('password') where username='username';

The whole cmd exchange looks like this:

C:\Program Files\MySQL\MySQL Server 4.1\bin>mysql -u root -p
Enter password: *********
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 7 to server version: 4.1.21-community-nt

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> use bugtracker;
Database changed

mysql> update mantis_user_table set password=md5('password') where username='username';
Query OK, 1 row affected (0.00 sec)
Rows matched: 1 Changed: 1 Warnings: 0

Related Solutions

Php – Automatic login between separate php web apps. Security issue

Is this a risk? Yes, but there may be mitigating factors.

Is the check performed from server to server interaction or is client side javascript making the call? If server to server, that lowers the risk a little.
Is mantis publicly facing or completely internal? If internal, then this limits scope to internal users only.
If all of the bug information was "leaked" to the internet, does that have potential consequences to your employer? This is the harder one. Also, this one has to be weighed against the access already provided to the techs.
What is the maximum potential for damage? In other words, let's assume that one of your support techs is pissed off and decides to take a shot at the company systems.

What could they do?

Mantis simply stores bug tracking information. Further, if your server is backed up nightly then you are limited to the potential defacing of one days worth of bugs. Hardly worthwhile from a hacker perspective, and of no real consequence to the company.

The amount of security used should be commensurate with what it is defending.

Mysql – How to get a list of user accounts using the command line in MySQL

Use this query:

SELECT User FROM mysql.user;

Which will output a table like this:

+-------+
| User  |
+-------+
| root  |
+-------+
| user2 |
+-------+

As Matthew Scharley points out in the comments on this answer, you can group by the User column if you'd only like to see unique usernames.

Best Answer

Related Solutions

Php – Automatic login between separate php web apps. Security issue

Mysql – How to get a list of user accounts using the command line in MySQL

Related Topic