FidoNet Echomail Archive
sync_programming

<<< Previous Index Next >>>

From: mark lewis
To: Digital Man
Date: 2019-06-14 12:12:24
Subject: possible CRYPT bug with no session password

 On 2019 Jun 14 10:47:04, I wrote to you:

 DM>> That means the remote BinkIT system has a session password configured
 DM>> for your node. From binkp.js 1.114 ('-' is the same as a blank/no
 DM>> password):

 DM>>        if (!this.plain_auth_only && password !== '-')
 DM>>                this.sendCmd(this.command.M_NUL, "OPT CRYPT");

 ml> are you saying that if there is no session level password, we should have a
 ml> '-' in the session password field in echocfg??

of course that was wrong but if one was put in there, it should work the
same... i've glanced over the code and i note that if the password is
undefined, it is set to '-'... is it possible that maybe the password is
not just undefined but it is blank?

        if (password === undefined)
                password = '-';
        if (password === '-')
                this.require_md5 = false;

should

                this.wont_crypt = true;
                this.require_crypt = false;

be set up there where "this.require_md5 = false" is set instead
of being set further down? then checking additional values would prevent
"OPT CRYPT" from being sent as well??

)\/(ark

Always Mount a Scratch Monkey
Do you manage your own servers? If you are not running an IDS/IPS yer doin'
it wrong...
... I am celibate by choice - not mine, mind you.
---
 * Origin:  (1:3634/12.73)
SEEN-BY: 1/120 18/0 103/705 123/0 25 50 150 153/7715 154/10 30 40 700 203/0
SEEN-BY: 221/0 6 227/201 400 229/426 240/5832 261/38 280/464 5003 340/800
SEEN-BY: 396/45 423/120 633/0 267 280 281 384 412 509 712/848 770/1 3634/0 12
SEEN-BY: 3634/50 119
@PATH: 3634/12 154/10 280/464 712/848 633/280 267


<<< Previous Index Next >>>