1. Petr Nejedly Avatar Petr Nejedly
  2. Serviio
  3. serviio
  4. Issues

Web UI Security Problems

Issue #996 new
Joe Posner created an issue

The serviio web server starts up a web-accessible console at http://[hostname]:23423/console which presents the following security concerns:

1) browsing of all directories on the server it's being run on can be done by using the "add shared folder" interface 2) The password that protects the media browser web interface on port 23424 can be edited in this non-password-protected interface

The interface on 23423 should be password protectable and Serviio should also support a configuration option to not provide console access via a web interface

Comments (4)

  1. Dan

    I doubt the web interface will go away (and personally I wouldn't want it to), but I would think that it could be restricted to local PC only. Password protection does seem a reasonable idea.

  2. Petr Nejedly repo owner

    Password would have to be set up somewhere. Either during install (that would work on Windows) or in some property file - not user friendly and not much more secure. If someone has a different idea I'll gladly hear them. Otherwise this will be closed.

    For local access only, you can change your firewall rules for port 23423.

  4. Dan

    Petr, what if the first time a connection to the console occurs, it could ask if a password was desired, and if so save it in the DB (encrypted). If the password creation was declined, then the console would work as it does now. There could be a place on the console to modify, enable or disable a password at a later time. If the password was forgotten or lost, the field in the DB could be deleted to remove the password requirement, again allowing access. Since it's not a simple task to delete the DB field, it's not likely someone could easily break into the DB to do so. Especially since you are running Derby in single user mode. Since there's no way to access the DB externally while Serviio is running, that would make the password storage pretty safe. Yes,not user friendly to delete the DB field, but then most lost password recovery efforts are not user friendly :)

  5. Log in to comment
Assignee
Type
bug
Priority
minor
Status
new
Component
server
Version
Votes
0
Watchers
3
Jira: the preferred issue tracker for Bitbucket. Join the team!