NextPVR Forums
  • ______
  • Home
  • New Posts
  • Wiki
  • Members
  • Help
  • Search
  • Register
  • Login
  • Home
  • Wiki
  • Members
  • Help
  • Search
NextPVR Forums Public NextPVR Other Clients Old Stuff (legacy) NextPVR Enhanced Web Admin (NEWA) v
« Previous 1 … 10 11 12 13 14 … 47 Next »
security issue with iNEWA

 
  • 0 Vote(s) - 0 Average
security issue with iNEWA
johnsonx42
Offline

Posting Freak

Posts: 7,298
Threads: 189
Joined: Sep 2008
#1
2012-08-07, 08:11 PM
skippy_nz posted in the 2.5.5 announcement thread that he was able to bypass the security of iNEWA and go directly to the recordings list and delete shows without ever logging in. I tested it and first thought it was working fine, and reported same.

However, on further testing I now see the problem:

If the user goes to http://npvr:8866/mobile, it skips the login. I advertised that as a means to see the mobile site on a device not detected as mobile (such as a tablet like my HP TouchPad). This is obviously a pretty serious issue, though hopefully won't have any immediate consequence. I'm turning off external access to my NPVR box until this is fixed.
server: NextPVR 5.0.7/Win10 2004/64-bit/AMD A6-7400k/hvr-2250 & hvr-1250/Winegard Flatwave antenna/Schedules Direct
main client: NextPVR 5.0.7 Desktop Client; LG 50UH5500 WebOS 3.0 TV
whurlston
Offline

Posting Freak

Posts: 7,885
Threads: 102
Joined: Nov 2006
#2
2012-08-07, 08:31 PM
You could also rename the mobile folder or just disable it.
johnsonx42
Offline

Posting Freak

Posts: 7,298
Threads: 189
Joined: Sep 2008
#3
2012-08-07, 08:33 PM
yes, true, that would allow the regular NEWA to still operate securely while awaiting a fix for the mobile site.
server: NextPVR 5.0.7/Win10 2004/64-bit/AMD A6-7400k/hvr-2250 & hvr-1250/Winegard Flatwave antenna/Schedules Direct
main client: NextPVR 5.0.7 Desktop Client; LG 50UH5500 WebOS 3.0 TV
johnsonx42
Offline

Posting Freak

Posts: 7,298
Threads: 189
Joined: Sep 2008
#4
2012-08-07, 09:28 PM
sub has removed iNEWA from the 2.5.5 installer as of right now, so if you just now downloaded 2.5.5 and see this post, you're fine.
server: NextPVR 5.0.7/Win10 2004/64-bit/AMD A6-7400k/hvr-2250 & hvr-1250/Winegard Flatwave antenna/Schedules Direct
main client: NextPVR 5.0.7 Desktop Client; LG 50UH5500 WebOS 3.0 TV
bgowland
Offline

Posting Freak

West Yorkshire, UK
Posts: 4,583
Threads: 384
Joined: Dec 2004
#5
2012-08-07, 10:14 PM
johnsonx42 Wrote:I advertised that as a means to see the mobile site on a device not detected as mobile (such as a tablet like my HP TouchPad).
Without wanting to hijack the thread but what do you mean about an HP TouchPad not being detected as mobile?
mvallevand
Online

Posting Freak

Ontario Canada
Posts: 52,869
Threads: 954
Joined: May 2006
#6
2012-08-07, 10:15 PM
IMHO if you are connecting to NEWA via the Internet, you really should only connect to using a VPN anyway, it was never designed for the hackers on the Internet today.

Martin
johnsonx42
Offline

Posting Freak

Posts: 7,298
Threads: 189
Joined: Sep 2008
#7
2012-08-07, 11:07 PM
bgowland Wrote:Without wanting to hijack the thread but what do you mean about an HP TouchPad not being detected as mobile?
when I tested it on my webOS phone, the mobile site came up right away. On the TouchPad I got the full NEWA... Some may prefer this, so I'm not calling it a bug, but I just wanted the simple interface.
server: NextPVR 5.0.7/Win10 2004/64-bit/AMD A6-7400k/hvr-2250 & hvr-1250/Winegard Flatwave antenna/Schedules Direct
main client: NextPVR 5.0.7 Desktop Client; LG 50UH5500 WebOS 3.0 TV
psycik
Offline

Posting Freak

Posts: 5,210
Threads: 424
Joined: Sep 2005
#8
2012-08-08, 12:12 AM
mvallevand Wrote:IMHO if you are connecting to NEWA via the Internet, you really should only connect to using a VPN anyway, it was never designed for the hackers on the Internet today.

Martin

Unless its a PPTP VPN....
johnsonx42
Offline

Posting Freak

Posts: 7,298
Threads: 189
Joined: Sep 2008
#9
2012-08-08, 02:05 AM
mvallevand Wrote:IMHO if you are connecting to NEWA via the Internet, you really should only connect to using a VPN anyway, it was never designed for the hackers on the Internet today.

Martin
Well I certainly wouldn't argue against that as being ideal, but it's simply not practical for most users. We just have to hope the NEWA web engine itself is secure enough to ward off automated attacks and casual hacks; it's not like a random PVR box would be a target for a serious hacking effort.
server: NextPVR 5.0.7/Win10 2004/64-bit/AMD A6-7400k/hvr-2250 & hvr-1250/Winegard Flatwave antenna/Schedules Direct
main client: NextPVR 5.0.7 Desktop Client; LG 50UH5500 WebOS 3.0 TV
johnsonx42
Offline

Posting Freak

Posts: 7,298
Threads: 189
Joined: Sep 2008
#10
2012-08-08, 02:08 AM
I was starting to wonder why we've had no comment from UJB or fjbpchristiaens on this, but their profiles show neither has been on since last week.
server: NextPVR 5.0.7/Win10 2004/64-bit/AMD A6-7400k/hvr-2250 & hvr-1250/Winegard Flatwave antenna/Schedules Direct
main client: NextPVR 5.0.7 Desktop Client; LG 50UH5500 WebOS 3.0 TV
« Next Oldest | Next Newest »

Users browsing this thread: 2 Guest(s)

Pages (3): 1 2 3 Next »


Possibly Related Threads…
Thread Author Replies Views Last Post
  iNEWA Mobile Problem RTKAT 5 4,117 2016-05-13, 12:22 AM
Last Post: RTKAT
  iNEWA glitch on iPhone? jksmurf 1 2,551 2016-03-19, 05:47 PM
Last Post: UncleJohnsBand
  Mobile iNEWA Support Thread UncleJohnsBand 164 83,404 2016-03-19, 05:46 PM
Last Post: UncleJohnsBand
  iNEWA / NEWA problems NumberFive 6 3,359 2015-04-26, 10:49 AM
Last Post: NumberFive
  Possible NEWA streaming security issue. JP23 4 1,774 2013-07-13, 03:35 PM
Last Post: UncleJohnsBand
  INEWA Android feature request CORRUPT27 2 1,860 2013-06-25, 07:30 PM
Last Post: CORRUPT27
  Issue getting "external" VLC to work phmt 4 3,691 2012-09-28, 10:23 PM
Last Post: phmt
  Odd Guide Display Issue kayleigh 1 1,561 2012-04-25, 11:13 PM
Last Post: UncleJohnsBand
  Minor Issue - Channel Name Truncated by first 3 chars? jksmurf 5 2,179 2011-07-04, 03:29 PM
Last Post: UncleJohnsBand
  EWA whitescreen issue SickBoy 1 1,474 2009-11-19, 11:14 PM
Last Post: UncleJohnsBand

  • View a Printable Version
  • Subscribe to this thread
Forum Jump:

© Designed by D&D, modified by NextPVR - Powered by MyBB

Linear Mode
Threaded Mode