problem still present in v 1.2.15.

can be solved by adding the lines in bold in the file core/authentication_api.php
function auth_does_password_match( $p_user_id, $p_test_password ) {
$t_configured_login_method = config_get( 'login_method' );
if( HTTP_AUTH == $t_configured_login_method ) {
return true ;
}
if( LDAP == $t_configured_login_method ) {
return ldap_authenticate( $p_user_id, $p_test_password );
}

This isn't actually the correct fix for this issue - HTTP_AUTH was designed for situation where username+password were set in server headers - therefore adding a bypass here introduces a security risk.

Ok, I'll revert the commit. Thx for your input.

I did some tests
Config : Mantis 1.2.15 running in apache 2.2.3 on red hat 5.3, $g_login_method = HTTP_AUTH in config_inc.php

case 1, mantis source 1.2.15 without changes :
if no username+password are set in server headers (e.g. no apache authentication method set on the Mantis directory, i.e. Allow From all)
then,
Mantis asks the user for credentials (auth_http_prompt() in login.php)
if no passwords are stored in the mantis database : Mantis keeps on asking the users for credentials
else if passwords are stored in the database encrypted with MD5, you can access Mantis UI, but Mantis replace the password in the database in plain text (!!) so that you won't be able to log in the next time

case 2, mantis source 1.2.15 without changes :
if username+password are set in server headers (e.g. apache authentication method set on the Mantis directory , i.e. AuthType/AuthName/Require/Satisfy)
then,
if user give wrong credentials (i.e. apache can't authenticate the user), apache keeps on asking the user for good credentials
else
Mantis asks the user for credentials too (auth_http_prompt() in login.php) which we don't want as apache already authenticate the user

case 3, mantis source 1.2.15 with changes in note 0011084:0036858 :
if no username+password are set in server headers (e.g. no apache authentication method set on the Mantis directory, i.e. Allow From all)
then,
Mantis asks the user for credentials(auth_http_prompt() in login.php)
if no passwords are stored in the mantis database, or stored in plain text : Mantis keeps on asking the users for credentials
else if passwords are stored in the database encrypted with MD5, you can access Mantis UI and the password is not altered so that you will be able to log in the next time

case 4, mantis source 1.2.15 with changes in note 0011084:0036858 :
if username+password are set in server headers (e.g. apache authentication method set on the Mantis directory, i.e. AuthType/AuthName/Require/Satisfy)
then,
if user give wrong credentials (i.e. apache can't authenticate the user), apache keeps on asking the user for good credentials
else
user can access Mantis UI and the password in database is not altered

I conclude that if the login method is set to HTTP_AUTH and you don't configure your web server to ask the user for credentials, Mantis is protected as it tries to authenticate the user against the database.

I don't understand where the security risk is. Am I right?

Gerald

There are a few issues within the core of Mantis:

1) it assumes that each user requires a valid e-mail address. If not, create_user fails.

I fixed that by commenting out

email_ensure_valid( $p_email );

within the function user_create() which is in core/user_api.php:447 (Mantis 1.2.11)

2) Auto-creating users is not enabled for HTTP_AUTH

Within function auth_attempt_login(), create a new elseif block for HTTP auth:

} else if ( HTTP_AUTH == $t_login_method) {
$t_auto_create = true;
}

This made mantis work with HTTP AUTH.