Broken authentication on Monkey HTTPD Auth plugin

[Felipe Pena <felipensp () gmail com>]

I've found an issue in the way as Monkey HTTPD Auth login performs
authentication:

CVE-2013-2159 - Broken username checking on Auth plugin

Due strncmp() misuse the username checking phase was matching different
usernames when checking N initial bytes from username list.

$ ./mk_passwd -c -b ../plugins/auth/users.mk felipe123 bar
[+] Adding user felipe123
$ ./mk_passwd -b ../plugins/auth/users.mk felipe foo
[+] Adding user felipe

On this scenario, we only manage to log in with 'felipe' username using
'bar' as password, since the strncmp() was using the first 6 bytes to match
the usernames.

The bug has been fixed, more details at
http://bugs.monkey-project.com/ticket/183

-- 
Regards,
Felipe Pena