Is this project dead?

General discussion about RuneAudio. Do not post any support or feature requests here.

Re: Is this project dead?

Postby pastic » 31 Mar 2018, 15:07

waves wrote:...[stuff]...

gearhead wrote:...[stuff]...


I share this concern, but also willingly admit my lack of skills to judge whether the concern is real in the context of Runeaudio. I did notice in the first arstechnica post linked above that the person wrote: "He said the vulnerability was present only when users enabled remote access and disabled password protection." I would, somewhat daringly suggest that anyone who knowingly does so deserves to get hacked.

The question is, is this remote access enabled by default somehow? It would seem that the WLAN interface is active by default, but if that interface is disabled, the RuneAudio RPi would be entirely behind the router and as such protected. I find no indication that one could gain access from without then. (Also disable UPnP, I guess).

Or am I wrong?
pastic
 
Posts: 11
Joined: 23 Mar 2018, 00:07

Re: Is this project dead?

Postby waves » 14 Apr 2018, 12:19

pastic wrote:I share this concern, but also willingly admit my lack of skills to judge whether the concern is real in the context of Runeaudio.

I see no reason to think this is not a concern also for RuneAudio since it is also a localhost server without any authorization of users other than that they (appear to) be on the same LAN. If that is incorrent then it would be wise for developers to explain in detail why RuneAudio would not be vulnerable.

pastic wrote:I did notice in the first arstechnica post linked above that the person wrote: "He said the vulnerability was present only when users enabled remote access and disabled password protection." I would, somewhat daringly suggest that anyone who knowingly does so deserves to get hacked.


That is a misconception AFAICT. DNS Rebind exploits work by having javascript in a malicious browser page access the web UI in a way that fools localhost servers like RuneAudio into thinking the traffic is coming from a LAN user. But it is really the remote malware site that is the source of the traffic. What harm can be done depends on what commands the localhost server has exposed and/or what vulnerabilities there are in the (by now old) versions of PHP etc that RuneAudio runs.

Here is a recent example of how a Usenet client made preemptive changes to prevent DNS Rebind exploits through its web UI
https://sabnzbd.org/wiki/extra/hostname-check.html
It uses https and a hostname verification whitelist. It also has a built in option to password protect access to the web UI.

CVE for the vulnerability in Transmission talked about in earlier posts
https://www.cvedetails.com/cve/CVE-2018-5702/
waves
 
Posts: 125
Joined: 31 Dec 2014, 10:33

support RuneAudio Donate with PayPal

Previous

Return to General discussion

Who is online

Users browsing this forum: No registered users and 4 guests