check for request for authentication server allows bypassing?
Peter Warasin
peter at endian.com
Tue Aug 5 17:34:02 UTC 2008
Hi guys
I found out that coovachilli allows access to the whole uamlisten ip
address whether the user is authenticated or not.
In my case there is a squid running on the same host, which then allows
people to bypass the hotspot by manually configure their browsers in
order to use that proxy.
This is due to some lines commented out in dhcp.c:1936, which makes the
check whether it is a request for the auth server or not less specific.
------------------------- snip ----------------------------------
/* Was it a request for authentication server? */
for (i = 0; i<this->authiplen; i++) {
if ((pack->iph.daddr == this->authip[i].s_addr) /* &&
(pack->iph.protocol == PKT_IP_PROTO_TCP) &&
((tcph->dst == htons(DHCP_HTTP)) ||
(tcph->dst == htons(DHCP_HTTPS)))*/)
return 0; /* Destination was authentication server */
}
------------------------- snap ----------------------------------
I would like to ask why these lines are commented out and if it is safe
to remove the comment and bring them back in? That would close the hole.
I tested with the correct check (lines not commented out), which is
working fine for me (dhcp and anyip). uamallow is also working fine.
So I am wondering if there is some reason, something I am missing, why
this check has been made less specific.
I attach a patch which removes the comment, for the case that there is
no reason for disabling that lines.
kind regards
peter
--
:: e n d i a n
:: open source - open minds
:: peter warasin
:: http://www.endian.com :: peter at endian.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: close_access_to_host.patch
Type: text/x-diff
Size: 1033 bytes
Desc: not available
URL: <http://lists.coova.org/pipermail/chilli/attachments/20080805/cad9ada8/attachment.patch>
More information about the Chilli
mailing list