forum.wdlxtv.com

[KAD]

[mad_ady]

As you've seen, it's a matter of security. I chose not to disable HTTP Authentication for any host, but I do turn it off for the /umsp/ address. The reason for this is that the requests are made from other systems in your LAN and DLNA does not support Simple authentication.

Now, the question is - is it safe to disable HTTP Auth completely? No - your webend would be accessible by anyone in the LAN, and they could get your configuration and your credentials to your saved accounts.
Is it safe to disable HTTP auth for UMSP? It probably is, but there can be certain plugins that will allow you to download arbitrary content from the WDTV (e.g. a carefully scripted request to umsp-test.php can do this), so you can get the credentials.

How should this be done? Well, I'm thinking of a way to allow the user to turn off auth for requests from specific hosts. This way, the user would be able to use something like Julio's WDTV Remote app. I haven't thought of a way to do this that is elegant yet...

The way the httpd.conf import works in my case is that it imports a blank file when UMSP_LAN is disabled, or imports a non-blank "override" file when it is enabled. You can adjust the paths to fit your system for now.

[recliq]

I remember the "security" discussen when we developed the UMSP_LAN patch and we came up with the present solution (to disable auth only for umsp path).
Of course this is not really secure! (I guess I can find a way to exploit UMSP files for some nasty directory traversal or something else...)
Anyways it was the best trade-off for having UMSP_LAN working and still have basic auth on webend.

But if you look at the whole picture you can can't say WDLXTV is secure... having some passwords here and there (webend, ftp,telnet, etc...) will prevent "drive-by" access or keeping your (young) children off the WDLXTV services, but anyone with at least some linux knowledge will get in there if he really wants.

Anybody should keep that in mind, especially if he's planning to expose his WDTV on the internet (which I strongly suggest you don't do without some extra security layer like a VPN tunnel)!

[KAD]

and the SMP is even worse for security than the old devices were

first off, did you notice the user httpd runs under root

and that's the way it runs under official firmware too

then re WDLXTV-webend on SMP, there is no webend password authentication like the old live and live plus
it's wide open, so I guess unless I want to secure the webend, this will probably work without any additional changes

[KAD]

ok, I must be missing something, those patches look obvious, and seem to do what they are supposed to do, but I'm unable to see UMSP from android tablet (only device I have for testing this)
tried upnp monkey and upnp play

I don't see any changes that would change how it's broadcast, just the UDN and friendly name is really all that is being changed ??

I don't see any UMSP LAN specific entries in wdlxtv.watch , it's just the exact same broadcast message from what I can tell
are there additional patches, I need to check for ?

oh and yes I went ahead and added those httpd.conf entries, although it's sort of a mute point because it's already wide open

[KAD]

[mad_ady]

Yeah, took me a year before I could spell UMSP correctly (I would always type usmp instead)