CVS log for loncom/auth/lontokacc.pm

Request diff between arbitrary revisions

Keyword substitution: kv
Default branch: MAIN
Current tag: version_0_6_2

Revision 1.7: download - view: text, markup, annotated - select for diffs
Mon Oct 21 19:15:10 2002 UTC (21 years, 6 months ago) by bowersj2
Branches: MAIN
CVS tags: version_0_99_3, version_0_99_2, version_0_99_1, version_0_99_0, version_0_6_2, version_0_6, conference_2003
Diff to previous 1.6: preferred, colored
Changes since revision 1.6: +9 -5 lines

This took way longer then it should have.

lonracc and lontokacc will now be accepting when one of two conditions
is met:

* The double-reverse lookup, according to $r->get_remote_host(REMOTE_DOUBLE_REV)
  is successful. This is identical to before.
* The claimed host is the same as the current server, which works even with
  wonky /etc/hosts files.

I was initially worried this might be a potential security problem, but I do
not believe it is. The reason is that this clause ONLY comes into effect
when you're trying to spoof yourself as the server you are talking to. Even
if you succeed, the server will then proceed to send itself a subscription
request, which is not a big deal, PLUS the reason this is occuring in the
first place is that the name maps back to 127.0.0.1, SO this request will
go through the local interface anyhow, meaning Mr. Remote Attacker can't even
see the subscription request that wouldn't help him anyhow.

So in the end, all this does is hypothetically allow an attacker to cause a
server machine to subscribe itself to resources it hosts. This does not give
the hypothetical attacker any benefit. Thus, this is not a security hole.

Diff request

This form allows you to request diffs between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.

Diffs between
and

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>

Preferred diff type:
View only branch:
Sort log by: