[jira] [Resolved] (VCL-745) Windows.pm user_logged_in does not check for imaging requests

Fri, 07 Feb 2014 12:08:41 -0800 

     [ 
https://issues.apache.org/jira/browse/VCL-745?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andy Kurth resolved VCL-745.
----------------------------

    Resolution: Fixed

> Windows.pm user_logged_in does not check for imaging requests
> -------------------------------------------------------------
>
>                 Key: VCL-745
>                 URL: https://issues.apache.org/jira/browse/VCL-745
>             Project: VCL
>          Issue Type: Bug
>          Components: vcld (backend)
>    Affects Versions: 2.3.2
>            Reporter: Andy Kurth
>            Assignee: Andy Kurth
>            Priority: Minor
>             Fix For: 2.4
>
>
> During the period when a reservation is in the reserved state, the 
> check_connection_on_port subroutine in Windows.pm detects when a connection 
> is made on the port corresponding to the conection method (3389 in this 
> case).  When a connection is detected, check_connection_on_port also checks 
> if the connection is from the same IP address which was captured by the 
> website when the user clicked Connect.  The IP addresses normally match but 
> in some cases such as when a VPN is used they may be different.  When 
> different, an additional step is performed to call the user_logged_in 
> subroutine in Windows.pm to retrieve the names of the users logged in to the 
> reservation computer.  This is necessary because the firewall is open to any 
> address during this period.  Someone doing a port scan may connect to the 
> computer.  We need to verify that the connection is from the actual user by 
> checking if a user matching the reservation username is logged in.  If the 
> reservation user is logged in, it is assumed that the the VPN situation 
> occured and the IP address the user connected from is assumed to be correct 
> and the firewall is configured properly.
> As you know, for imaging requests the "Administrator" user is used to login 
> to the reservation instead of the normal username.  The user_logged_in 
> subroutine uses the normal username if no argument is supplied without 
> checking if this is an imaging requests or not.  As a result, it never 
> detects that Administrator is logged in.  After the loop times out, the 
> firewall is locked down to the IP address retrieved from the website.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Reply via email to