security issue with iNEWA

[whurlston]

Isn't UJB on a beach somewhere?

[bgowland]

when I tested it on my webOS phone, the mobile site came up right away. On the TouchPad I got the full NEWA... Some may prefer this, so I'm not calling it a bug, but I just wanted the simple interface.

Ah OK, I was just wondering.

I haven't tested iNEWA as I don't have a need for it. If your webOS device and TouchPad get different responses it suggests this may be to do with the HTTP User-Agent request field. If that's the case then the process is inherently insecure anyway - I could knock up a simple web client for my Android phone using just a few lines of code which would make it look like an iMac running Safari, for example.

[johnsonx42]

I haven't tested iNEWA as I don't have a need for it. If your webOS device and TouchPad get different responses it suggests this may be to do with the HTTP User-Agent request field. If that's the case then the process is inherently insecure anyway - I could knock up a simple web client for my Android phone using just a few lines of code which would make it look like an iMac running Safari, for example.

I'm pretty sure you're misunderstanding what I'm saying. Any device that goes to http://ip_of_npvr:8866 from an external address gets the login page. AFTER the login page, my webOS phone (Pre 3) gets the mobile site (/mobile), while my webOS tablet (TouchPad) gets the regular site (/guide2.aspx). Obviously this is because the user agent of the touchpad is different than the phone, and doesn't have whatever the "auto-magic" redirection code is looking for. I'm not saying this is a bug or wrong at all - a 10" tablet is not a 3.5" phone. It's just that I happen to want the simple mobile interface on both devices. So, I figured out that if I request http://ip_of_npvr:8866/mobile from any device, be it phone, tablet, or desktop, it will force use of the mobile site... BUT it turns out that it also skips the login screen as well, and grants full access. This happens regardless of device, and has nothing to do with the user agent. I did not notice this at first, because initially I only had NEWA access inside my network, and NEWA by default grants auto-login from all private IP ranges. It was only after skippy_nz posted that I forwarded port 8866 in my router, turned off wifi on my phone, and logged in from a public IP that I discovered it.

[fuzzweed]

I think I'm saying the same thing, but if I go to the :8866/mobile on my phone from an external network, I don't get asked for as password. i.e. anyone in the world can delete my recordings.
VPN is fine PC to PC, but port forwarding is the only viable option to view EWA via a phone.

Pity as it looks great and has been long awaited, but I guess I need to turn off EWA completely until UJB issues a fix.

Should also raise this as a post on the main forum, as this is a reasonably big security hole, that I only picked up on by chance.

[nia]

I still find the iNEWA functionality absolutely brilliant - it's a very welcome value add to nPVR indeed. A big thank you to the developers.

Maybe some Securitywiz can come up with a recommended setup?

[johnsonx42]

I think I'm saying the same thing, but if I go to the :8866/mobile on my phone from an external network, I don't get asked for as password. i.e. anyone in the world can delete my recordings.

yes, that is the issue at hand.

Should also raise this as a post on the main forum, as this is a reasonably big security hole, that I only picked up on by chance.

I put a prominent note in the patch post.

[kevbotheone]

I think that a mobile login screen would be very useful for this scenario. fjbpchristiaens already indicated that the login screen is something to be worked on next.
http://forums.nextpvr.com/showthread.php...post437842

But the system needs to prompt for a login regardless if the URL is directly pointed at /mobile or /guide2.aspx. If the login is only prompted when using http://ip_of_npvr:8866, then I see that as a bug with NEWA. So, when going directly to http://ip_of_npvr:8866/guide2.aspx, will the login screen be presented?

[UncleJohnsBand]

Isn't UJB on a beach somewhere?

Yes...at beach.... :-) having to check e-mail through web as my home server went down after we left which is where I manage my e-mail and FTP server.

I will look into the security issue with the mobile folder and security......

[johnsonx42]

I think that a mobile login screen would be very useful for this.

it seems the login screen has already been done... The login screen for all devices seems to be from iNEWA.. That may be a bug in itself though.

So, when going directly to http://ip_of_npvr:8866/guide2.aspx, will the login screen be presented?

yes, the user still has to login.

[UncleJohnsBand]

it seems the login screen has already been done... The login screen for all devices seems to be from iNEWA.. That may be a bug in itself though.

yes, the user still has to login.

No....there is one common login screen regardless of accessing NEWA or iNEWA......it is logon.aspx. Login.aspx and Login2.aspx are phased out.