0003619: BASIC_AUTH automatically saves plain-text password in database

(0005163)
smhanson (reporter)
2004-03-04 03:18

I seem to have fixed the problem for my installation by setting the submitted password to an empty string in login.php (see attached patch).

I'm not sure why Mantis needs the password at all under BASIC_AUTH. The user is already authenticated, that's all Mantis needs to know.

(0006837)
thraxisp (manager)
2004-08-08 18:02

The new HTTP_AUTH might address this.

(0007234)
MBoer (reporter)
2004-08-27 11:30

I want to agree with smhanson: I don't think Mantis should save BASIC_AUTH passwords. One reson is that it is a security problem -- they are currently saved in plain text! Another is that if the user changes her BASIC_AUTH password, Mantis refuses entry because it has saved an obsolete one.

(0007589)
smhanson (reporter)
2004-09-15 06:43

I'm testing the 0.19.0 release, and this seems to be fixed.

(0007991)
smhanson (reporter)
2004-10-12 05:54
edited on: 2004-10-12 05:56

All is not well with BASIC_AUTH in 0.19.0. See 0004691 (BASIC_AUTH shows login screen when user already authenticated)

edited on: 10-12-04 05:56

(0009061)
proffe (reporter)
2005-01-24 13:12

It's not fixed in 0.19.2. The problem is that the password is checked in authentication_api.php even though Apache has already validated it. In my installation I changed it to allow access directly if BASIC_AUTH == $t_login_method. The submitted patch would also work, but then you have to make sure that the passwords in Mantis's database are always blank.

HTTP_AUTH has nothing to do with this (it apparently checks the password agains Mantis's database, but obtains it through HTTP authentication headers).

(0016563)
troglobit (reporter)
2008-01-06 05:45

Attaching a patch for Mantis v1.1.0 that should fix this issue. It is an adaptation of Brian Vargas' patches at http://ardvaark.net/making_mantis_with_basic_authentication_not_suck.html [^]

The patch basically
   * Removes the Logout option
   * Inserts a random password in the db

To make it work you have to have the following in your config_inc.php:

    # Authentication
    $g_validate_email = OFF;
    $g_login_method = BASIC_AUTH;

The only tricky thing left is that the "Administrator" account must be a valid user in your "other" authentication scheme.

This closes 0008012 for me, making SSO with Active Directory possible through Winbind. See that issue for further details on setup.

Issue History
Date Modified	Username	Field	Change
2004-03-01 10:58	smhanson	New Issue
2004-03-04 03:12	smhanson	File Added: login.patch
2004-03-04 03:18	smhanson	Note Added: 0005163
2004-08-08 18:02	thraxisp	Note Added: 0006837
2004-08-08 18:02	thraxisp	Status	new => confirmed
2004-08-27 11:30	MBoer	Note Added: 0007234
2004-09-15 06:43	smhanson	Note Added: 0007589
2004-10-12 05:54	smhanson	Note Added: 0007991
2004-10-12 05:55	smhanson	Note Edited: 0007991
2004-10-12 05:55	smhanson	Note Edited: 0007991
2004-10-12 05:56	smhanson	Note Edited: 0007991
2005-01-24 13:12	proffe	Note Added: 0009061
2005-12-08 04:51	jlatour	Relationship added	child of 0005460
2008-01-06 05:45	troglobit	Note Added: 0016563
2008-01-06 05:46	troglobit	File Added: mantis-1.1.0-basic_auth.patch
2008-07-13 12:19	grangeway	Tag Attached: patch
2008-07-13 12:19	grangeway	Status	confirmed => assigned
2008-07-13 12:19	grangeway	Assigned To	=> grangeway

Notes
(0005163) smhanson (reporter) 2004-03-04 03:18	I seem to have fixed the problem for my installation by setting the submitted password to an empty string in login.php (see attached patch). I'm not sure why Mantis needs the password at all under BASIC_AUTH. The user is already authenticated, that's all Mantis needs to know.

(0006837) thraxisp (manager) 2004-08-08 18:02	The new HTTP_AUTH might address this.

(0007234) MBoer (reporter) 2004-08-27 11:30	I want to agree with smhanson: I don't think Mantis should save BASIC_AUTH passwords. One reson is that it is a security problem -- they are currently saved in plain text! Another is that if the user changes her BASIC_AUTH password, Mantis refuses entry because it has saved an obsolete one.

(0007589) smhanson (reporter) 2004-09-15 06:43	I'm testing the 0.19.0 release, and this seems to be fixed.

(0007991) smhanson (reporter) 2004-10-12 05:54 edited on: 2004-10-12 05:56	All is not well with BASIC_AUTH in 0.19.0. See 0004691 (BASIC_AUTH shows login screen when user already authenticated) edited on: 10-12-04 05:56

(0009061) proffe (reporter) 2005-01-24 13:12	It's not fixed in 0.19.2. The problem is that the password is checked in authentication_api.php even though Apache has already validated it. In my installation I changed it to allow access directly if BASIC_AUTH == $t_login_method. The submitted patch would also work, but then you have to make sure that the passwords in Mantis's database are always blank. HTTP_AUTH has nothing to do with this (it apparently checks the password agains Mantis's database, but obtains it through HTTP authentication headers).

(0016563) troglobit (reporter) 2008-01-06 05:45	Attaching a patch for Mantis v1.1.0 that should fix this issue. It is an adaptation of Brian Vargas' patches at http://ardvaark.net/making_mantis_with_basic_authentication_not_suck.html [^] The patch basically * Removes the Logout option * Inserts a random password in the db To make it work you have to have the following in your config_inc.php: # Authentication $g_validate_email = OFF; $g_login_method = BASIC_AUTH; The only tricky thing left is that the "Administrator" account must be a valid user in your "other" authentication scheme. This closes 0008012 for me, making SSO with Active Directory possible through Winbind. See that issue for further details on setup.