Openwebif

1. offizieller Beitrag
    • Offizieller Beitrag

    Well,


    yes, it is possible to basically read any file on a dreambox using path-traversal.


    But to get there you will first have to gain access to the WebInterface.
    If someone has the root password he could also just login in via ftp or ssh and do way more nasty stuff.
    If people expose their box to the internet without any password-protection than that's a WAY bigger Problem.
    You can even delete movie or timers right away without using this pretty poor "exploit" which isn't really one.... (imo).
    It's a simple wget on older vesions, and a wget with simple path-traversal on newer versions.


    Looking at the use case of a dreambox WebInterface it has never been developed with security in focus (only very very basic things, to avoid general command execution).


    I actually do not even consider this "exploit" a real problem.
    If someone points me to a problem where you could actually execute console-commands, that's what i would consider an exploit.


    I'll fix the possibilty for path-traversal, although i really don't see any way someone could do damage that way.

    ? Wheres the exploit? It's a feature, not a bug :winking_face:


    The script simply issues a regular API-Call to the WebIF to get any File on the Dreambox. I admitt that this might be an security issue and one might think about restricting access to the file system, but there are 2 main reasons, this doesn't make sense:
    1. Dreambox WebIF shouldn't be publicly reachable!
    2. If it is, then you need to set a password and activate password-protection in WebIF-Settings.


    Because with an open, not password protected WebIF you could do thousands of other things that you shouldn't do on remote boxes :winking_face: It doesn't make any sense to restrict this specific API-call cause then you would have to stop any other API for zapping, box control, streaming or whatever. If there is no protection before the API, every function of the WebIF might be seen as a security leak.
    That's just my point of view and maybe others or the developers have another opinion, but for me this isn't an exploit. It's just the users own fault.


    P.S.: OpenWebIF is something totally different :winking_face:


    Edit: Reichi was faster :smiling_face: My english typing is to slow :grinning_squinting_face:

    so long
    m0rphU

    I see your point, it's like not changing root/dreambox default user-password. Then would be better to have as default the web interface with authentication instead by default, it is not. Hope they wont' go far then that.

    • Offizieller Beitrag

    Well the concept is simple:


    The default settings are to disable user and passwort for http (which is meant for local (lan/wlan) access) and to enable it for https (which is meant for remote access).
    As you are not supposed to forward the unencrypted (non-s) WebInterface this should be a very fine pre-setting for everyone.


    Anything else is imo a misconfiguration done by users, and that's something you can't fix you just can tell them NOT to do so.
    IIRC logging in as root without passwort doesn't work, so it should be ok from that point, too.