Synchronet now requires the libarchive development package (e.g. libarchive-dev on Debian-based Linux distros, libarchive.org for more info) to build successfully.

Commit c65542f8 authored by rswindell's avatar rswindell

Fix long standing bug with the global JS function login():

A few *service.js scripts call this function without a password argument
(the second argument), e.g. login("guest");
If there was no guest account (or the guest account had a password assigned),
this would result in a failed login attempt as "guest" along with a garbage
password (e.g. a floating point number, like 3.7042561) and since it would
be a unique garbage password for each login() call without an actual password
specified, these login() calls would be counted as unique failed login attempts
and potentially cause the client's IP address to be added to the hack.log
and even ip.can (IP address filter).

As seen on Mortifis' system where VERT was filtereed due to
"SUSPECTED NNTP LOGIN HACK ATTEMPT", likely due to the daily sbbslist
verifications when just perform a TCP connection and no actual login attempt,
but nntpservice.js would still call login("guest") before the client (vert)
would be disconnected.
parent 27b2494b
......@@ -348,7 +348,7 @@ js_login(JSContext *cx, uintN argc, jsval *arglist)
JSObject *obj=JS_THIS_OBJECT(cx, arglist);
jsval *argv=JS_ARGV(cx, arglist);
char* user;
char* pass;
char* pass = NULL;
JSBool inc_logons=JS_FALSE;
jsval val;
service_client_t* client;
......@@ -365,10 +365,11 @@ js_login(JSContext *cx, uintN argc, jsval *arglist)
return(JS_FALSE);
/* Password */
JSVALUE_TO_ASTRING(cx, argv[1], pass, LEN_PASS+2, NULL);
if(pass==NULL)
return(JS_FALSE);
if(argc > 1) {
JSVALUE_TO_ASTRING(cx, argv[1], pass, LEN_PASS+2, NULL);
if(pass==NULL)
return(JS_FALSE);
}
rc=JS_SUSPENDREQUEST(cx);
memset(&client->user,0,sizeof(user_t));
......@@ -399,7 +400,7 @@ js_login(JSContext *cx, uintN argc, jsval *arglist)
}
/* Password */
if(client->user.pass[0] && stricmp(client->user.pass,pass)) { /* Wrong password */
if(client->user.pass[0] && (pass == NULL || stricmp(client->user.pass,pass))) { /* Wrong password */
lprintf(LOG_WARNING,"%04d %s !INVALID PASSWORD ATTEMPT FOR USER: %s"
,client->socket,client->service->protocol,client->user.alias);
badlogin(client->socket, client->service->protocol, user, pass, client->client->host, &client->addr);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment