webapp secuity

[white_haired_uncle]

I got to thinking about this the other day. The new webapp seems to have no authentication and listens on all ports by default. Is there anything protecting, for example, the mythtv-user mysql password? And I won't mention the details here in the open, but I'm pretty sure I can quite easily get root on a lot of myth backends via the webapp.

There's probably some way to secure things documented somewhere, but out of the box this seems pretty, um, accommodating.

[paulh]

You are correct both the WebApp and the API it uses currently have no security built in. It was something Stuart and I discussed and we were in agreement it would be nice to learn from past mistakes and make the new WebApp secure out of the box. Unfortunately we never got around to implementing anything.

In the old API you could password protect any of the endpoints if you wanted. By default only the setup endpoint was protected albeit using a default usenamer/password but of cause they could be changed. The old WebFrontend would ask you for a password when you entered the setup pages. I don't believe any of that got carried over to the new WebApp though.

The current advice is don't expose your MythTV backend to the internet and avoid running the BE as root but use a more restricted user like mythtv to limit the amount of potential destruction that could be done (I think you have probably already found some the API endpoints could be exploited to potentially completely trash a system running the backend).

This reminds me of the early days of MythWeb where some users made it visible to all on the web and where dismayed to have all their recordings deleted etc. It was either some malicious users or one theory was some bots like the googlebot could have tried to index all the pages it could find and was clicking all the delete recording links for each recording.

[bill6502]

Peter added this: https://www.mythtv.org/wiki/Web_Applica ... entication in v36.