Ok, should be fixed now.
We were treating the string we read from the remote controller socket
as a list, and that was wrong, as special characters like "{" must be
quoted in lists. I convert the string to a list by using split.
Additionally, I've disabled the remote parsing when remote is not
enabled, which avoids parsing the command at all.
Also, I've added a 3 seconds wait on authentication failure, to avoid
brute force dictionary attacks.
Greets.
On 4/22/07, Álvaro J. Iradier <[EMAIL PROTECTED]> wrote:
> Ok, the port is used for remote controlling too, I'm checking what's
> wrong with it...
>
> On 4/22/07, Álvaro J. Iradier <[EMAIL PROTECTED]> wrote:
> > Isn't the profile lock port binded to 127.0.0.1, so it only listens to
> > local connections? in that case, it can't be remotely exploited...
> >
> > On 4/22/07, Youness Alaoui <[EMAIL PROTECTED]> wrote:
> > > Hi,
> > >
> > > I'm a developer and admin of the aMSN project, someone just sent me this
> > > link
> > > (
> > > http://lists.grok.org.uk/pipermail/full-disclosure/2007-April/053912.html
> > > ).
> > >
> > > I just grepped in the source code and that port (31337) is not used by
> > > aMSN, it could be a port used for a
> > > profile (as a locking system), in which case the port is randomly chosen
> > > each time, so this is probably just a
> > > fluke, he found the port of his current aMSN instance and used it.
> > >
> > > As I don't have more info, I can't really test this bug and find the real
> > > cause and fix it, so it would be nice
> > > to have more info about this.
> > >
> > > Seeing how the user replied on the "Vendor contacted?" tag, I wonder if I
> > > can get any more info on this matter.
> > >
> > > Thanks,
> > > KaKaRoTo
> > >
> > > -------------------------------------------------------------------------
> > > This SF.net email is sponsored by DB2 Express
> > > Download DB2 Express C - the FREE version of DB2 express and take
> > > control of your XML. No limits. Just data. Click to get it now.
> > > http://sourceforge.net/powerbar/db2/
> > > _______________________________________________
> > > Amsn-devel mailing list
> > > Amsn-devel@lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/amsn-devel
> > >
> >
> >
> > --
> > (:===========================================:)
> > Alvaro J. Iradier Muro - [EMAIL PROTECTED]
> >
>
>
> --
> (:===========================================:)
> Alvaro J. Iradier Muro - [EMAIL PROTECTED]
>
--
(:===========================================:)
Alvaro J. Iradier Muro - [EMAIL PROTECTED]
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Amsn-devel mailing list
Amsn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amsn-devel
