View Issue Details

WikiJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0003619mantisbtsecuritypublic2004-03-01 10:582014-11-07 15:17
Reportersmhanson Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
Status confirmedResolutionopen 
Summary0003619: BASIC_AUTH automatically saves plain-text password in database
Description

I freshly installed Mantis 0.18.2 intended for internal use. I want to authenticate externally (using mod_auth_pam) to avoid having to setup users. However, on a user's first login his password is saved in plain text in the user table.

Tagspatch
Attached Files
login.patch (372 bytes)    
--- login.php.orig	2004-03-04 09:08:50.000000000 +0100
+++ login.php	2004-03-04 09:09:25.000000000 +0100
@@ -21,7 +21,7 @@
 
 	if ( BASIC_AUTH == config_get( 'login_method' ) ) {
 		$f_username = $_SERVER['REMOTE_USER'];
-		$f_password = $_SERVER['PHP_AUTH_PW'];
+		$f_password = '';
  	}
 
 	if ( auth_attempt_login( $f_username, $f_password, $f_perm_login ) ) {
login.patch (372 bytes)   
mantis-1.1.0-basic_auth.patch (3,396 bytes)    
diff -ru mantis-1.1.0.orig/core/authentication_api.php mantis-1.1.0.patched/core/authentication_api.php
--- mantis-1.1.0.orig/core/authentication_api.php	2007-10-19 07:54:58.000000000 +0200
+++ mantis-1.1.0.patched/core/authentication_api.php	2008-01-06 11:35:26.000000000 +0100
@@ -83,9 +83,16 @@
 
 		if ( false === $t_user_id ) {
 			if ( BASIC_AUTH == $t_login_method ) {
-				# attempt to create the user if using BASIC_AUTH
-				$t_cookie_string = user_create( $p_username, $p_password );
-
+				# Create the user if using BASIC_AUTH
+				#
+				# Modified to generate a random password.
+				# Since basic authentication should be authoratative, then this password
+        			# is just a dummy password, and should never be used. --Brian Vargas 
+				# http://ardvaark.net/making_mantis_with_basic_authentication_not_suck.html
+				# 
+			 	# This seems like right thing to do, even TWiki use this approach. --Joachim Nilsson
+				$p_email = "$p_username@example.com";
+				$t_cookie_string = user_create( $p_username, auth_generate_random_password($p_email) );
 				if ( false === $t_cookie_string ) {
 					# it didn't work
 					return false;
@@ -123,7 +130,7 @@
 		if ( !( ( ON == $t_anon_allowed ) && ( $t_anon_account == $p_username)  ) ) {
 			# anonymous login didn't work, so check the password
 
-			if ( !auth_does_password_match( $t_user_id, $p_password ) ) {
+			if ( BASIC_AUTH != $t_login_method && !auth_does_password_match( $t_user_id, $p_password )) {
 				user_increment_failed_login_count( $t_user_id );
 				return false;
 			}
diff -ru mantis-1.1.0.orig/core/html_api.php mantis-1.1.0.patched/core/html_api.php
--- mantis-1.1.0.orig/core/html_api.php	2007-10-28 15:39:30.000000000 +0100
+++ mantis-1.1.0.patched/core/html_api.php	2008-01-06 11:29:08.000000000 +0100
@@ -594,7 +594,7 @@
 					$t_menu_options[] = '<a href="billing_page.php">' . lang_get( 'time_tracking_billing_link' ) . '</a>';
 
 				# Logout (no if anonymously logged in)
-				if ( !current_user_is_anonymous() ) {
+				if ( BASIC_AUTH != config_get( 'login_method' ) && !current_user_is_anonymous() ) {
 					$t_menu_options[] = '<a href="logout_page.php">' . lang_get( 'logout_link' ) . '</a>';
 				}
 				PRINT implode( $t_menu_options, ' | ' );
diff -ru mantis-1.1.0.orig/index.php mantis-1.1.0.patched/index.php
--- mantis-1.1.0.orig/index.php	2007-10-13 23:36:40.000000000 +0200
+++ mantis-1.1.0.patched/index.php	2008-01-06 11:25:42.000000000 +0100
@@ -25,6 +25,8 @@
 <?php
 	if ( auth_is_user_authenticated() ) {
 		print_header_redirect( config_get( 'default_home_page' ) );
+	} else if ( BASIC_AUTH == config_get( 'login_method' ) ) { 
+	        print_header_redirect( 'login.php' ); 
 	} else {
 		print_header_redirect( 'login_page.php' );
 	}
diff -ru mantis-1.1.0.orig/logout_page.php mantis-1.1.0.patched/logout_page.php
--- mantis-1.1.0.orig/logout_page.php	2007-10-13 23:36:40.000000000 +0200
+++ mantis-1.1.0.patched/logout_page.php	2008-01-06 11:25:42.000000000 +0100
@@ -30,5 +30,9 @@
 		auth_http_set_logout_pending( true );
 	}
 
-	print_header_redirect( config_get( 'logout_redirect_page' ), /* die */ true, /* sanitize */ false );
+        if ( BASIC_AUTH == config_get( 'login_method' ) ) {
+	        print_header_redirect( 'index.php' ); 
+	} else { 
+        	print_header_redirect( config_get( 'logout_redirect_page' ), /* die */ true, /* sanitize */ false );
+	}
 ?>
mantis-1.1.0-basic_auth.patch (3,396 bytes)   

Relationships

child of 0005460 closedvboctor Critical Issues to Fix for Mantis 1.0.0 Release 

Activities

smhanson

smhanson

2004-03-04 03:18

reporter   ~0005163

I seem to have fixed the problem for my installation by setting the submitted password to an empty string in login.php (see attached patch).

I'm not sure why Mantis needs the password at all under BASIC_AUTH. The user is already authenticated, that's all Mantis needs to know.
thraxisp

thraxisp

2004-08-08 18:02

reporter   ~0006837

The new HTTP_AUTH might address this.
MBoer

MBoer

2004-08-27 11:30

reporter   ~0007234

I want to agree with smhanson: I don't think Mantis should save BASIC_AUTH passwords. One reson is that it is a security problem -- they are currently saved in plain text! Another is that if the user changes her BASIC_AUTH password, Mantis refuses entry because it has saved an obsolete one.
smhanson

smhanson

2004-09-15 06:43

reporter   ~0007589

I'm testing the 0.19.0 release, and this seems to be fixed.
smhanson

smhanson

2004-10-12 05:54

reporter   ~0007991

Last edited: 2004-10-12 05:56

All is not well with BASIC_AUTH in 0.19.0. See 0004691 (BASIC_AUTH shows login screen when user already authenticated)

edited on: 10-12-04 05:56
proffe

proffe

2005-01-24 13:12

reporter   ~0009061

It's not fixed in 0.19.2. The problem is that the password is checked in authentication_api.php even though Apache has already validated it. In my installation I changed it to allow access directly if BASIC_AUTH == $t_login_method. The submitted patch would also work, but then you have to make sure that the passwords in Mantis's database are always blank.

HTTP_AUTH has nothing to do with this (it apparently checks the password agains Mantis's database, but obtains it through HTTP authentication headers).
troglobit

troglobit

2008-01-06 05:45

reporter   ~0016563

Attaching a patch for Mantis v1.1.0 that should fix this issue. It is an adaptation of Brian Vargas' patches at http://ardvaark.net/making_mantis_with_basic_authentication_not_suck.html

The patch basically

  • Removes the Logout option
  • Inserts a random password in the db

To make it work you have to have the following in your config_inc.php:

# Authentication
$g_validate_email = OFF;
$g_login_method = BASIC_AUTH;

The only tricky thing left is that the "Administrator" account must be a valid user in your "other" authentication scheme.

This closes 0008012 for me, making SSO with Active Directory possible through Winbind. See that issue for further details on setup.