I'm going to say that's my fault :) Back on 7.x (maybe early 8.x) one of our techs (Eamon) discovered that whatever you entered on the SM was displayed on the AP in the session list. His proof of concept was putting a img tag that loaded one of those early shocker images in the site name on a SM. You loaded the AP session list and got a hilarious visual that you couldn't unsee :-) He tried reporting it to Moto and got nowhere fast.
At the next AF I asked some Moto people and they were like, so what? So I reworked it with a javascript tag in the site name on a SM for a little show & tell. Loaded the AP session list and you got a popup. I was like, you know since this is javascript I can manipulate the DOM* and hijack things, right? and they noted it and it was fixed pretty soon after. I think in the "security release" that added RADIUS support. *DOM being the browser's internal representation of the web page. Essentially you could cause the browser to take any action on your behalf that the browser's user could take. Example being for those of you that don't use RADIUS/BAM (this was pre-RADIUS) (cough powercode users cough) one could register a SM with the right payload in the site name to a competitor's AP, call them up for support and get them to look at the session list, and then your payload would make config changes to the AP. On Thu, Jul 9, 2015 at 6:19 PM, George Skorup <[email protected]> wrote: > That has been around since I think v8 and has always annoyed me. I come > across "No Site Name" SMs from time to time. Go look in the IP database and > the customer's name is usually O' something. Shows you how much people pay > attention. > > > On 7/9/2015 6:10 PM, Bill Prince wrote: > > I posted this on the Cambium forum too. I thought I'd put single quotes in > the Site Name field in the past. So I "think" this might be some corner > case with the text-based config file. > > I had a site that required a single quote (e.g. O'Hara). > > > > When I saved the change, the display stayed as "No Site Name", but did not > give an error. > > > > So I tried to put the site name in via the configuration file. When that > configuration was applied, the GUI indicated that Site Name had an "error > 1". > > > > So I re-entered the name as "OHara", and it took. > > > > So the GUI should indicate that the single quote (and possibly other > characters) are not allowed, instead of passively going back to "No Site > Name". Or maybe it could just drop the illegal characters. > > > > -- > > bp > <part15sbs{at}gmail{dot}com> > > > >
