-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Please add user authorization to xmlapi usage #29
Comments
Hello, I will follow the guidlines of well known vulnerability disclosure policies. I don't know, but hopefully you will be contacted from eQ-3 side in the next few days with same request and maybe some details, because of some tumult behind the scene I have triggered. @uwe111 Uwe Langhammer: Same issue for the CUxD as stated in CUxD issue 22. Since you have switched of the issue tracker of CUxD in Github, I hope you are getting this info due to watching this repository, too. I'm not the bad guy, just someone who points to security issues! |
@psytester Of course you are not the bad guy. But you overestimate the importance of this add-on as well as CUxD. Both are third-party addons not developed by eQ3. And especially this XML-API Add-on is an open source project which eQ3 has no control of. Feel free to publish your CVEs, but the time would probably better invested in actually contributing to actually close these security issues. So please don't get me wrong. I am all for closing these security issues, but IMHO you should better invest your time in proposing a fix for them rather than writing any CVEs. |
In a first step the AddOn(s) should be integrated into existing user session management. Overestimating is relative. |
This has been discussed multiple times, with the common agreement being that the CCU should not be treated as secure environment anyway and the network it is in should be secured instead as much as reasonably possible. Obviously this is far from perfect, but this is what he have. In any case, as Jens has mentioned, adding authorization to a CCU addon is a lot of work and understabely no one has stepped up to do it for free on a small open source project like this. Are you up for it? |
@psytester It is clear and already known and had been already discussed that a security improvement would be great. So please step forward and implement it! This is an open source project, so everyone is invited (and requested!) to contribute what he sees fit. |
For sure, if I would know how TCL scripting works, how to use in own AddOns the given internal eQ-3 scripts like |
Seen in RaspberryMatic issue 332 jens-maus/RaspberryMatic/issues/332
This is what I would expect, the core CCU part is providing some methods which can be used by AddOn developers. |
@psytester |
@uwe111 Uwe, du könntest natürlich nun prinzipiell trotzdem den seit der 3.41.x Version existierenden ReGa Web Authentification Port (UDP 1998 via 127.0.0.1) nutzen und darüber die Nutzer-Authentifizierung durchführen statt eine separate web authentifizierung mit eignem nutzername+passwort nur für CUxD vorzuhalten. Kann ich dir gerne in einer privaten Email zukommen lassen die Infos wenn du Interesse hast. |
@uwe111 What I mean it the access to internal devices usage. This needs to be protected with an user session, especially If you mean the Basic Authentication provided by INI property I belive at least 70% are using the same user / password combination for CCU WebUI and CUxD UI access and since the /usr/local/addons/cuxd/cuxd.ini contains the access data in plain text, this is a new attack vector. "Thank you". I'm really not the penetration tester expert, but I can combine (simple) attack vectors and finally the system is under full control. |
@jens-maus @psytester For the CUxD UI access I'm already working on a simpler solution. Besides that, you can easily avoid your "attack vectors" if you put your CCU in a secured network with controlled access rules only. That also means no direct port forwarding to the Internet. I think that's the best solution. |
It's not me, who needs to be protected. Two weeks before there were more than 10000 systems listed to be accessible via port forwarding. Today it's "only" 8470 on shodan.io
How to remotly access the CCU / OCCU I can not write here publicly. I can give you details on a private channel or get in contact with Jens Maus, he got those details already 3 weeks before. That a lot of users are not updating they systems, is another bad story :-( |
@psytester |
Jens, lässt Du mir das bitte noch per Email zukommen? |
Someone willing to host this repository under his Github account? I would like to get rid of it. I don't use it, I don't like it, I will not do anything for it in future. So volunteers please, would like to move it asap! :-) |
@uwe111 here is a javascript implementation of authentication against the Rega: https://github.com/rdmtc/RedMatic/blob/master/addon_files/redmatic/lib/rega-auth.js |
@hobbyquaker Feel free to move the repository to my account ;) |
transfer request created. |
Just for traceability only, this issue was published last year as CVE-2019-14984 |
(I know this issue is old, but it is still open, so...) Adding mandatory authentication would break many third party solutions, some of them out of active development. If you consider this issue, please make authentication at least optional. |
This has been implemented into XML-API v2 now. Thus, closing. |
At least the xmlapi/exec.cgi is really dangerous, since its allows uncontrolled execution of code from non authorized users nor any blocking by build-in "Firewall":
You may get in touch with jens maus about some more details which are not for public here.
The text was updated successfully, but these errors were encountered: