check for request for authentication server allows bypassing?
wlanmac
wlan at mac.com
Thu Aug 7 18:14:05 UTC 2008
I seem to recall commenting it out because I found only checking http
and https ports was too restrictive. It should probably parse out the
uamserver url port number to check with, in the case it is not a
standard port being used. I suppose this can be overcome with adding
uamallowed entries for the authip:port.. For your proxy issue, you could
always run it on another IP address. I would hate to make a change back
like this only to have many sites, using alternate ports, not work.
Suggestions are welcome.
David
On Tue, 2008-08-05 at 19:34 +0200, Peter Warasin wrote:
> Hi guys
>
> I found out that coovachilli allows access to the whole uamlisten ip
> address whether the user is authenticated or not.
>
> In my case there is a squid running on the same host, which then allows
> people to bypass the hotspot by manually configure their browsers in
> order to use that proxy.
>
>
> This is due to some lines commented out in dhcp.c:1936, which makes the
> check whether it is a request for the auth server or not less specific.
>
> ------------------------- snip ----------------------------------
> /* Was it a request for authentication server? */
> for (i = 0; i<this->authiplen; i++) {
> if ((pack->iph.daddr == this->authip[i].s_addr) /* &&
> (pack->iph.protocol == PKT_IP_PROTO_TCP) &&
> ((tcph->dst == htons(DHCP_HTTP)) ||
> (tcph->dst == htons(DHCP_HTTPS)))*/)
> return 0; /* Destination was authentication server */
> }
> ------------------------- snap ----------------------------------
>
> I would like to ask why these lines are commented out and if it is safe
> to remove the comment and bring them back in? That would close the hole.
>
> I tested with the correct check (lines not commented out), which is
> working fine for me (dhcp and anyip). uamallow is also working fine.
>
> So I am wondering if there is some reason, something I am missing, why
> this check has been made less specific.
>
> I attach a patch which removes the comment, for the case that there is
> no reason for disabling that lines.
>
> kind regards
>
> peter
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: chilli-unsubscribe at coova.org
> For additional commands, e-mail: chilli-help at coova.org
> Wiki: http://coova.org/wiki/index.php/CoovaChilli
> Forum: http://coova.org/phpBB3/viewforum.php?f=4
More information about the Chilli
mailing list