Bug #4168
closed
bandwithd result pages are public accessible
Added by Oliver Welter almost 10 years ago.
Updated almost 10 years ago.
Description
The result pages produced by bandwithd can be accessed without a login when knowing the url (which does not contain any random information).
Information of the the network structure is revealed to the public.
- Status changed from New to Rejected
That is a known issue with all add-on packages which include their own web interfaces. Unless they have their own protection/authentication, they can be loaded. There isn't currently a way to lock these down with system authentication. It has been discussed many times over the years (usually about Lightsquid). Some of them even run using their own daemons on separate ports for which the GUI cannot even influence.
Protect access to your firewall GUI port and other daemon ports. Allow access from only approved management workstations. Never expose the GUI or other sensitive firewall services to untrusted networks.
We may eventually come up with a viable way to protect these but for the time being, it's up to the individual packages to handle.
Well, in that case you should at least put a big fat warning on the docs. I am new to pfSense and when I add a module I assume it has at least safe defaults or a proper notice.
Also available in: Atom
PDF
Updated by 
Updated by