Project

General

Profile

Actions

Bug #4168

closed

bandwithd result pages are public accessible

Added by Oliver Welter about 9 years ago. Updated about 9 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
bandwidthd
Target version:
-
Start date:
12/31/2014
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.1.5
Affected Plus Version:
Affected Architecture:

Description

The result pages produced by bandwithd can be accessed without a login when knowing the url (which does not contain any random information).

Information of the the network structure is revealed to the public.

Actions #1

Updated by Jim Pingle about 9 years ago

  • Status changed from New to Rejected

That is a known issue with all add-on packages which include their own web interfaces. Unless they have their own protection/authentication, they can be loaded. There isn't currently a way to lock these down with system authentication. It has been discussed many times over the years (usually about Lightsquid). Some of them even run using their own daemons on separate ports for which the GUI cannot even influence.

Protect access to your firewall GUI port and other daemon ports. Allow access from only approved management workstations. Never expose the GUI or other sensitive firewall services to untrusted networks.

We may eventually come up with a viable way to protect these but for the time being, it's up to the individual packages to handle.

Actions #2

Updated by Oliver Welter about 9 years ago

Well, in that case you should at least put a big fat warning on the docs. I am new to pfSense and when I add a module I assume it has at least safe defaults or a proper notice.

Actions

Also available in: Atom PDF