Bug #4168
closed
bandwithd result pages are public accessible
0%
Description
The result pages produced by bandwithd can be accessed without a login when knowing the url (which does not contain any random information).
Information of the the network structure is revealed to the public.
Updated by Jim Pingle almost 10 years ago
- Status changed from New to Rejected
That is a known issue with all add-on packages which include their own web interfaces. Unless they have their own protection/authentication, they can be loaded. There isn't currently a way to lock these down with system authentication. It has been discussed many times over the years (usually about Lightsquid). Some of them even run using their own daemons on separate ports for which the GUI cannot even influence.
Protect access to your firewall GUI port and other daemon ports. Allow access from only approved management workstations. Never expose the GUI or other sensitive firewall services to untrusted networks.
We may eventually come up with a viable way to protect these but for the time being, it's up to the individual packages to handle.
Updated by Oliver Welter almost 10 years ago
Well, in that case you should at least put a big fat warning on the docs. I am new to pfSense and when I add a module I assume it has at least safe defaults or a proper notice.