View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0003619 | mantisbt | security | public | 2004-03-01 10:58 | 2014-11-07 15:17 |
Reporter | smhanson | Assigned To | |||
Priority | normal | Severity | major | Reproducibility | always |
Status | confirmed | Resolution | open | ||
Summary | 0003619: BASIC_AUTH automatically saves plain-text password in database | ||||
Description | I freshly installed Mantis 0.18.2 intended for internal use. I want to authenticate externally (using mod_auth_pam) to avoid having to setup users. However, on a user's first login his password is saved in plain text in the user table. | ||||
Tags | patch | ||||
Attached Files | login.patch (372 bytes)
--- login.php.orig 2004-03-04 09:08:50.000000000 +0100 +++ login.php 2004-03-04 09:09:25.000000000 +0100 @@ -21,7 +21,7 @@ if ( BASIC_AUTH == config_get( 'login_method' ) ) { $f_username = $_SERVER['REMOTE_USER']; - $f_password = $_SERVER['PHP_AUTH_PW']; + $f_password = ''; } if ( auth_attempt_login( $f_username, $f_password, $f_perm_login ) ) { mantis-1.1.0-basic_auth.patch (3,396 bytes)
diff -ru mantis-1.1.0.orig/core/authentication_api.php mantis-1.1.0.patched/core/authentication_api.php --- mantis-1.1.0.orig/core/authentication_api.php 2007-10-19 07:54:58.000000000 +0200 +++ mantis-1.1.0.patched/core/authentication_api.php 2008-01-06 11:35:26.000000000 +0100 @@ -83,9 +83,16 @@ if ( false === $t_user_id ) { if ( BASIC_AUTH == $t_login_method ) { - # attempt to create the user if using BASIC_AUTH - $t_cookie_string = user_create( $p_username, $p_password ); - + # Create the user if using BASIC_AUTH + # + # Modified to generate a random password. + # Since basic authentication should be authoratative, then this password + # is just a dummy password, and should never be used. --Brian Vargas + # http://ardvaark.net/making_mantis_with_basic_authentication_not_suck.html + # + # This seems like right thing to do, even TWiki use this approach. --Joachim Nilsson + $p_email = "$p_username@example.com"; + $t_cookie_string = user_create( $p_username, auth_generate_random_password($p_email) ); if ( false === $t_cookie_string ) { # it didn't work return false; @@ -123,7 +130,7 @@ if ( !( ( ON == $t_anon_allowed ) && ( $t_anon_account == $p_username) ) ) { # anonymous login didn't work, so check the password - if ( !auth_does_password_match( $t_user_id, $p_password ) ) { + if ( BASIC_AUTH != $t_login_method && !auth_does_password_match( $t_user_id, $p_password )) { user_increment_failed_login_count( $t_user_id ); return false; } diff -ru mantis-1.1.0.orig/core/html_api.php mantis-1.1.0.patched/core/html_api.php --- mantis-1.1.0.orig/core/html_api.php 2007-10-28 15:39:30.000000000 +0100 +++ mantis-1.1.0.patched/core/html_api.php 2008-01-06 11:29:08.000000000 +0100 @@ -594,7 +594,7 @@ $t_menu_options[] = '<a href="billing_page.php">' . lang_get( 'time_tracking_billing_link' ) . '</a>'; # Logout (no if anonymously logged in) - if ( !current_user_is_anonymous() ) { + if ( BASIC_AUTH != config_get( 'login_method' ) && !current_user_is_anonymous() ) { $t_menu_options[] = '<a href="logout_page.php">' . lang_get( 'logout_link' ) . '</a>'; } PRINT implode( $t_menu_options, ' | ' ); diff -ru mantis-1.1.0.orig/index.php mantis-1.1.0.patched/index.php --- mantis-1.1.0.orig/index.php 2007-10-13 23:36:40.000000000 +0200 +++ mantis-1.1.0.patched/index.php 2008-01-06 11:25:42.000000000 +0100 @@ -25,6 +25,8 @@ <?php if ( auth_is_user_authenticated() ) { print_header_redirect( config_get( 'default_home_page' ) ); + } else if ( BASIC_AUTH == config_get( 'login_method' ) ) { + print_header_redirect( 'login.php' ); } else { print_header_redirect( 'login_page.php' ); } diff -ru mantis-1.1.0.orig/logout_page.php mantis-1.1.0.patched/logout_page.php --- mantis-1.1.0.orig/logout_page.php 2007-10-13 23:36:40.000000000 +0200 +++ mantis-1.1.0.patched/logout_page.php 2008-01-06 11:25:42.000000000 +0100 @@ -30,5 +30,9 @@ auth_http_set_logout_pending( true ); } - print_header_redirect( config_get( 'logout_redirect_page' ), /* die */ true, /* sanitize */ false ); + if ( BASIC_AUTH == config_get( 'login_method' ) ) { + print_header_redirect( 'index.php' ); + } else { + print_header_redirect( config_get( 'logout_redirect_page' ), /* die */ true, /* sanitize */ false ); + } ?> | ||||
I seem to have fixed the problem for my installation by setting the submitted password to an empty string in login.php (see attached patch). I'm not sure why Mantis needs the password at all under BASIC_AUTH. The user is already authenticated, that's all Mantis needs to know. |
|
The new HTTP_AUTH might address this. |
|
I want to agree with smhanson: I don't think Mantis should save BASIC_AUTH passwords. One reson is that it is a security problem -- they are currently saved in plain text! Another is that if the user changes her BASIC_AUTH password, Mantis refuses entry because it has saved an obsolete one. |
|
I'm testing the 0.19.0 release, and this seems to be fixed. |
|
All is not well with BASIC_AUTH in 0.19.0. See 0004691 (BASIC_AUTH shows login screen when user already authenticated) edited on: 10-12-04 05:56 |
|
It's not fixed in 0.19.2. The problem is that the password is checked in authentication_api.php even though Apache has already validated it. In my installation I changed it to allow access directly if BASIC_AUTH == $t_login_method. The submitted patch would also work, but then you have to make sure that the passwords in Mantis's database are always blank. HTTP_AUTH has nothing to do with this (it apparently checks the password agains Mantis's database, but obtains it through HTTP authentication headers). |
|
Attaching a patch for Mantis v1.1.0 that should fix this issue. It is an adaptation of Brian Vargas' patches at http://ardvaark.net/making_mantis_with_basic_authentication_not_suck.html The patch basically
To make it work you have to have the following in your config_inc.php:
The only tricky thing left is that the "Administrator" account must be a valid user in your "other" authentication scheme. This closes 0008012 for me, making SSO with Active Directory possible through Winbind. See that issue for further details on setup. |
|