Security of WebServer
#1
Hello,

It seems that the security that topfs was talking is still not implemented and risk to not be in Dharma final.

The main problem is that when you activate the WebServer, it allows a full access to all the data on the computer.

(Just try : http://ip:port/vfs/C:%5CWindows%5Csystem.ini)

And since it seems 99% of users don't take time to put a password you should implement some kind of security to only allow access by default to xbmc dir and to the sources dir.

If you don't have time before final, at least add a big warning when activating the web server or force the need to use a password.

Tolriq.
Reply
#2
In fairness, whilst this needs to be addressed, it don't really see it being a critical show stopper by any means. It should only be enabled on your local network, and you should be able to trust clients on your local network.

That being said, if people use remote apps / controllers then it could be an issue for them.
Reply
#3
Most of the users don't really know about security Smile

And since even Yatse that is very targeted to windows users with touch screen have lot's of users, i assume that android and iphone remote controller are numerous Smile
Reply
#4
Also this is nothing new, XBMC in general ever since it had a webserver have been lacking in security. And all from Atlantis and quite a while before you have had the ability to get anything on the box.

However, I do agree with you and sandboxing will need to be done ASAP but I doubt it will be in for dharma. The new JSONRPC though has a security system on a per client basis which is not enabled but its designed around it so it will be rather simple to add it, basically just need to hook it up to the GUI so you get some form of question regarding if you want to approve or decline a client security (like in android when you install an app).
If you have problems please read this before posting

Always read the XBMC online-manual, FAQ and search the forum before posting.
Do not e-mail XBMC-Team members directly asking for support. Read/follow the forum rules.
For troubleshooting and bug reporting please make sure you read this first.

Image

"Well Im gonna download the code and look at it a bit but I'm certainly not a really good C/C++ programer but I'd help as much as I can, I mostly write in C#."
Reply
#5
Well get access to all data on an xbox is sure less a problem than if users let a full access to their main computer Smile

Not all users have a dedicated HTPC.

Does just forcing a password can't be a easy solution to increase a little the security ?
Reply
#6
topfs2 Wrote:Also this is nothing new, XBMC in general ever since it had a webserver have been lacking in security. And all from Atlantis and quite a while before you have had the ability to get anything on the box.

However, I do agree with you and sandboxing will need to be done ASAP but I doubt it will be in for dharma. The new JSONRPC though has a security system on a per client basis which is not enabled but its designed around it so it will be rather simple to add it, basically just need to hook it up to the GUI so you get some form of question regarding if you want to approve or decline a client security (like in android when you install an app).

Sounds likes a pretty sound idea. I was wary about enabling the web-server tbh, so the idea of increased security is appealing. I am glad it is being thought of for future releases (post-Dharma).
Reply
#7
While I agree more work needs to be done, one has to keep in mind that this is actually already fairly limited.

1. It's 'only' read access, so it's not as if there's all that much badness here.
2. You only have read access to whatever XBMC itself has access to.

So on a system where you have a limited user it won't be a problem - you'll only have read-only access what that user account itself can access.

Cheers,
Jonathan
Always read the XBMC online-manual, FAQ and search the forum before posting.
Do not e-mail XBMC-Team members directly asking for support. Read/follow the forum rules.
For troubleshooting and bug reporting please make sure you read this first.


Image
Reply
#8
While i hate to be the bearer of bad news, its already possible to do far more dangerous things via the existing web server in camelot and the httpapi, aswell as any python plugin.

I am not going to explain how its possible, but I am aware of them and will lock it down. Again as this is nothing new, dont expect this to be sorted until Eden.

Regardless if you set a password or not for the webserver, just dont make it public, it really isnt worth it! (unless you want the box to eventually be rooted)
Reply

Logout Mark Read Team Forum Stats Members Help
Security of WebServer0