You are here: Home » Reply

Reply To: Admin Interface results in 401

#17395

mplak

@robertcraven wrote:

The browser asks me for the account data, I enter no user name and the 0000-password, and then I get the 401.

I ran into the same problem: can’t get onto the admin pages, 401 error.
I debugged it and found a potential problem, which does not seem to be debian specific. [ Update: Looks like a debian specific problem after all, the security backport in webserver.c wasn’t compatible with the ws_decodepassword in r1376). ]

The problematic code was introduced in webserver.c by change 1679, which is a security fix. This fix was included in the debian package (0.2.4+r1376-1.1+etch1) on 9th Jun 2008.

My fix was to rebuild the package (mt-daapd-0.2.4+r1376) from source, and change webserver.c on line 969 from:

if((auth) && (ws_decodepassword(auth,&username, &password))) {

to

if((auth) && (0==ws_decodepassword(auth,&username, &password))) {

[ Update: this change is needed for debian patches applied to r1376 only.]

I’ve sent the details to Ron.

You can look for an older binary debian package, 0.2.4+r1376-1, that does not include this security fix, as a temporary workaround.
[ Update: mt-daapd_0.2.4+r1376-1.1+etch2_amd64.deb contains this fix ].