[phpBB Debug] PHP Notice: in file /includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Notice: in file /includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Notice: in file /includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Notice: in file /includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Notice: in file /includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Notice: in file /includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Notice: in file /includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Notice: in file /includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Notice: in file /includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Notice: in file /includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Notice: in file /includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Notice: in file /includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Notice: in file /includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Notice: in file /includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Notice: in file /includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Notice: in file /includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Notice: in file /includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Notice: in file /includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Notice: in file /includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Notice: in file /includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Notice: in file /includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Notice: in file /includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Notice: in file /includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Notice: in file /includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Notice: in file /includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Notice: in file /includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Notice: in file /includes/bbcode.php on line 112: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Notice: in file /includes/bbcode.php on line 112: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Notice: in file /includes/functions.php on line 4326: Cannot modify header information - headers already sent by (output started at /includes/functions.php:3501)
[phpBB Debug] PHP Notice: in file /includes/functions.php on line 4328: Cannot modify header information - headers already sent by (output started at /includes/functions.php:3501)
[phpBB Debug] PHP Notice: in file /includes/functions.php on line 4329: Cannot modify header information - headers already sent by (output started at /includes/functions.php:3501)
[phpBB Debug] PHP Notice: in file /includes/functions.php on line 4330: Cannot modify header information - headers already sent by (output started at /includes/functions.php:3501)
UMSP-LAN Security
Sign up here and you can log into the forum!

UMSP-LAN Security

This is the place to ask for how to use software that is (or isn't) included in the various wdlxtv flavours. Questions about software such as rtorrent, NZBGet, sshfs, curlftpfs, ssh, telnet, etc.

UMSP-LAN Security   

Postby KAD » Thu May 29, 2014 9:04 pm

If you like my work please consider a Donation.
Please read the appropriate documentation before posting questions!
PM's are for private matters. Post support questions to the appropriate forum, or they will be ignored.
User avatar
KAD
Global Moderator
 
Posts: 5103
Joined: Mon Apr 12, 2010 4:59 pm
Location: Seattle, WA USA

Re: UMSP-LAN Security   

Postby mad_ady » Fri May 30, 2014 5:03 am

As you've seen, it's a matter of security. I chose not to disable HTTP Authentication for any host, but I do turn it off for the /umsp/ address. The reason for this is that the requests are made from other systems in your LAN and DLNA does not support Simple authentication.

Now, the question is - is it safe to disable HTTP Auth completely? No - your webend would be accessible by anyone in the LAN, and they could get your configuration and your credentials to your saved accounts.
Is it safe to disable HTTP auth for UMSP? It probably is, but there can be certain plugins that will allow you to download arbitrary content from the WDTV (e.g. a carefully scripted request to umsp-test.php can do this), so you can get the credentials.

How should this be done? Well, I'm thinking of a way to allow the user to turn off auth for requests from specific hosts. This way, the user would be able to use something like Julio's WDTV Remote app. I haven't thought of a way to do this that is elegant yet...

The way the httpd.conf import works in my case is that it imports a blank file when UMSP_LAN is disabled, or imports a non-blank "override" file when it is enabled. You can adjust the paths to fit your system for now.
User avatar
mad_ady
Developer
 
Posts: 4575
Joined: Fri Nov 05, 2010 9:08 am
Location: Bucharest, Romania

Re: UMSP-LAN Security   

Postby recliq » Fri May 30, 2014 7:26 am

I remember the "security" discussen when we developed the UMSP_LAN patch and we came up with the present solution (to disable auth only for umsp path).
Of course this is not really secure! (I guess I can find a way to exploit UMSP files for some nasty directory traversal or something else...)
Anyways it was the best trade-off for having UMSP_LAN working and still have basic auth on webend.

But if you look at the whole picture you can can't say WDLXTV is secure... having some passwords here and there (webend, ftp,telnet, etc...) will prevent "drive-by" access or keeping your (young) children off the WDLXTV services, but anyone with at least some linux knowledge will get in there if he really wants.

Anybody should keep that in mind, especially if he's planning to expose his WDTV on the internet (which I strongly suggest you don't do without some extra security layer like a VPN tunnel)!
­WDLXTV Project Maintainer
-:] If you like my contributions feel free to for a beer or a new flash drive. ...and always remember: RTFM! (, , ) [:-
User avatar
recliq
WDLXTV Team
 
Posts: 5513
Joined: Thu Apr 15, 2010 8:09 am
Location: Kiel, Germany

Re: UMSP-LAN Security   

Postby KAD » Fri May 30, 2014 10:13 am

and the SMP is even worse for security than the old devices were

first off, did you notice the user httpd runs under root

and that's the way it runs under official firmware too

then re WDLXTV-webend on SMP, there is no webend password authentication like the old live and live plus
it's wide open, so I guess unless I want to secure the webend, this will probably work without any additional changes
If you like my work please consider a Donation.
Please read the appropriate documentation before posting questions!
PM's are for private matters. Post support questions to the appropriate forum, or they will be ignored.
User avatar
KAD
Global Moderator
 
Posts: 5103
Joined: Mon Apr 12, 2010 4:59 pm
Location: Seattle, WA USA

Re: UMSP-LAN Security   

Postby KAD » Fri May 30, 2014 6:32 pm

ok, I must be missing something, those patches look obvious, and seem to do what they are supposed to do, but I'm unable to see UMSP from android tablet (only device I have for testing this)
tried upnp monkey and upnp play

I don't see any changes that would change how it's broadcast, just the UDN and friendly name is really all that is being changed ??

I don't see any UMSP LAN specific entries in wdlxtv.watch , it's just the exact same broadcast message from what I can tell
are there additional patches, I need to check for ?

oh and yes I went ahead and added those httpd.conf entries, although it's sort of a mute point because it's already wide open
If you like my work please consider a Donation.
Please read the appropriate documentation before posting questions!
PM's are for private matters. Post support questions to the appropriate forum, or they will be ignored.
User avatar
KAD
Global Moderator
 
Posts: 5103
Joined: Mon Apr 12, 2010 4:59 pm
Location: Seattle, WA USA

Re: UMSP-LAN Security   

Postby KAD » Sun Jun 01, 2014 1:37 pm

If you like my work please consider a Donation.
Please read the appropriate documentation before posting questions!
PM's are for private matters. Post support questions to the appropriate forum, or they will be ignored.
User avatar
KAD
Global Moderator
 
Posts: 5103
Joined: Mon Apr 12, 2010 4:59 pm
Location: Seattle, WA USA

Re: UMSP-LAN Security   

Postby mad_ady » Sun Jun 01, 2014 10:07 pm

Yeah, took me a year before I could spell UMSP correctly (I would always type usmp instead) :)
User avatar
mad_ady
Developer
 
Posts: 4575
Joined: Fri Nov 05, 2010 9:08 am
Location: Bucharest, Romania


Return to Application Questions

Who is online

Users browsing this forum: No registered users and 1 guest

cron