Fixed: NTLM authentication doesn't work for NT-encoded passwords and may cause account blocking (reported by boris16 at tut.by)
CC'ing net-proxy this does not really sound like a security issue, does it?
Created attachment 101536 [details, diff] The only source file differences between 0.5.3 and 0.5.3a This patch contains the only source file differences between 0.5.3 and 0.5.3a.
I've bumped the version to 0.5.3a, but I don't understand the problem. In first case, 2 pointers are converted to unsigned, then substracted, then the result is casted to unsigned char. In second case, 2 pointers are converted to (unsigned char*), then substracted, then the result is casted to unsigned char. At first look, I don't see any difference between those 2 cases. Mike, can you explain it, please?
that change is what i requested the diff you should be reviewing is 0.5.2 to 0.5.3a
Doesn't look like a security issue to me. The only NTLM related change is in proxy.c file: "HTTP/1.0 407 Proxy Authentication Required\r\n" - "Proxy-Authenticate: basic realm=\"proxy\"\r\n" "Proxy-Authenticate: NTLM\r\n" + "Proxy-Authenticate: basic realm=\"proxy\"\r\n" "Proxy-Connection: close\r\n"
Alin/SpanKY any news on this one? Or is it INVALID?
I've looked over the diff between 0.5.2 and 0.5.3 and I didn't found a security security issue in it. Ask Mike if he has knowledge of such issue (he isn't member of net-proxy team so it doesn't receive this comment on email).
Thx Alin. SpanKY is on the security team, so he should be getting these as well.
not a security issue, thanks Alin for reviewing i tend to read security lists in bulk ;)