check for request for authentication server allows bypassing?

wlanmac wlan at
Thu Aug 7 18:14:05 UTC 2008

I seem to recall commenting it out because I found only checking http
and https ports was too restrictive. It should probably parse out the
uamserver url port number to check with, in the case it is not a
standard port being used. I suppose this can be overcome with adding
uamallowed entries for the authip:port.. For your proxy issue, you could
always run it on another IP address. I would hate to make a change back
like this only to have many sites, using alternate ports, not work.
Suggestions are welcome. 


On Tue, 2008-08-05 at 19:34 +0200, Peter Warasin wrote:
> Hi guys
> I found out that coovachilli allows access to the whole uamlisten ip 
> address whether the user is authenticated or not.
> In my case there is a squid running on the same host, which then allows 
> people to bypass the hotspot by manually configure their browsers in 
> order to use that proxy.
> This is due to some lines commented out in dhcp.c:1936, which makes the 
> check whether it is a request for the auth server or not less specific.
> ------------------------- snip ----------------------------------
>    /* Was it a request for authentication server? */
>    for (i = 0; i<this->authiplen; i++) {
>      if ((pack->iph.daddr == this->authip[i].s_addr) /* &&
> 	(pack->iph.protocol == PKT_IP_PROTO_TCP) &&
> 	((tcph->dst == htons(DHCP_HTTP)) ||
> 	(tcph->dst == htons(DHCP_HTTPS)))*/)
>        return 0; /* Destination was authentication server */
>    }
> ------------------------- snap ----------------------------------
> I would like to ask why these lines are commented out and if it is safe 
> to remove the comment and bring them back in? That would close the hole.
> I tested with the correct check (lines not commented out), which is 
> working fine for me (dhcp and anyip). uamallow is also working fine.
> So I am wondering if there is some reason, something I am missing, why 
> this check has been made less specific.
> I attach a patch which removes the comment, for the case that there is 
> no reason for disabling that lines.
> kind regards
> peter
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: chilli-unsubscribe at
> For additional commands, e-mail: chilli-help at
> Wiki:
> Forum:

More information about the Chilli mailing list