Subj : src/sbbs3/services.c
To   : CVS commit
From : rswindell
Date : Fri Oct 20 2023 20:19:52

src/sbbs3 services.c 1.330 1.331
Update of /cvsroot/sbbs/src/sbbs3
In directory cvs:/tmp/cvs-serv16636

Modified Files:
	services.c 
Log Message:
Fix long standing bug with the global JS function login():
A few *service.js scripts call this function without a password argument
(the second argument), e.g. login("guest");
If there was no guest account (or the guest account had a password assigned),
this would result in a failed login attempt as "guest" along with a garbage
password (e.g. a floating point number, like 3.7042561) and since it would
be a unique garbage password for each login() call without an actual password
specified, these login() calls would be counted as unique failed login attempts
and potentially cause the client's IP address to be added to the hack.log
and even ip.can (IP address filter).

As seen on Mortifis' system where VERT was filtereed due to
"SUSPECTED NNTP LOGIN HACK ATTEMPT", likely due to the daily sbbslist
verifications when just perform a TCP connection and no actual login attempt,
but nntpservice.js would still call login("guest") before the client (vert)
would be disconnected.


--- SBBSecho 3.20-Linux
 * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

.