[jcifs] jcifs-0.9.1 released / Security Update

Michael B Allen mba2000 at ioplex.com
Wed Jun 2 06:32:37 GMT 2004


It has been determined that if the "GUEST" account on the CIFS server is
enabled jCIFS may successfully authenticate an invalid username. For
example it is not uncommon to manage to configure Samba in this way. NTLM
HTTP Authentication Filter users that are not certain the "GUEST" account
is not disabled should upgrade to 0.9.1. This release will not
successfully authenticate a username that is not valid on the target CIFS
server (domain controller).

Note that if "GUEST" is the supplied username and "GUEST" is enabled then
that is a valid authentication.

Thanks to Sebastian Rehbach for illuminating this issue.

Mike





More information about the jcifs mailing list