security issue with iNEWA

johnsonx42 · 2012-08-07, 08:11 PM

skippy_nz posted in the 2.5.5 announcement thread that he was able to bypass the security of iNEWA and go directly to the recordings list and delete shows without ever logging in. I tested it and first thought it was working fine, and reported same.

However, on further testing I now see the problem:

If the user goes to http://npvr:8866/mobile, it skips the login. I advertised that as a means to see the mobile site on a device not detected as mobile (such as a tablet like my HP TouchPad). This is obviously a pretty serious issue, though hopefully won't have any immediate consequence. I'm turning off external access to my NPVR box until this is fixed.

whurlston · 2012-08-07, 08:31 PM

You could also rename the mobile folder or just disable it.

johnsonx42 · 2012-08-07, 08:33 PM

yes, true, that would allow the regular NEWA to still operate securely while awaiting a fix for the mobile site.

johnsonx42 · 2012-08-07, 09:28 PM

sub has removed iNEWA from the 2.5.5 installer as of right now, so if you just now downloaded 2.5.5 and see this post, you're fine.

bgowland · 2012-08-07, 10:14 PM

johnsonx42 Wrote:I advertised that as a means to see the mobile site on a device not detected as mobile (such as a tablet like my HP TouchPad).

Without wanting to hijack the thread but what do you mean about an HP TouchPad not being detected as mobile?

mvallevand · 2012-08-07, 10:15 PM

IMHO if you are connecting to NEWA via the Internet, you really should only connect to using a VPN anyway, it was never designed for the hackers on the Internet today.

Martin

johnsonx42 · 2012-08-07, 11:07 PM

bgowland Wrote:Without wanting to hijack the thread but what do you mean about an HP TouchPad not being detected as mobile?

when I tested it on my webOS phone, the mobile site came up right away. On the TouchPad I got the full NEWA... Some may prefer this, so I'm not calling it a bug, but I just wanted the simple interface.

psycik · 2012-08-08, 12:12 AM

mvallevand Wrote:IMHO if you are connecting to NEWA via the Internet, you really should only connect to using a VPN anyway, it was never designed for the hackers on the Internet today.

Martin

Unless its a PPTP VPN....

johnsonx42 · 2012-08-08, 02:05 AM

mvallevand Wrote:IMHO if you are connecting to NEWA via the Internet, you really should only connect to using a VPN anyway, it was never designed for the hackers on the Internet today.

Martin

Well I certainly wouldn't argue against that as being ideal, but it's simply not practical for most users. We just have to hope the NEWA web engine itself is secure enough to ward off automated attacks and casual hacks; it's not like a random PVR box would be a target for a serious hacking effort.

johnsonx42 · 2012-08-08, 02:08 AM

I was starting to wonder why we've had no comment from UJB or fjbpchristiaens on this, but their profiles show neither has been on since last week.

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	iNEWA Mobile Problem	RTKAT	5	4,120	2016-05-13, 12:22 AM Last Post: RTKAT
	iNEWA glitch on iPhone?	jksmurf	1	2,554	2016-03-19, 05:47 PM Last Post: UncleJohnsBand
	Mobile iNEWA Support Thread	UncleJohnsBand	164	83,484	2016-03-19, 05:46 PM Last Post: UncleJohnsBand
	iNEWA / NEWA problems	NumberFive	6	3,363	2015-04-26, 10:49 AM Last Post: NumberFive
	Possible NEWA streaming security issue.	JP23	4	1,778	2013-07-13, 03:35 PM Last Post: UncleJohnsBand
	INEWA Android feature request	CORRUPT27	2	1,862	2013-06-25, 07:30 PM Last Post: CORRUPT27
	Issue getting "external" VLC to work	phmt	4	3,693	2012-09-28, 10:23 PM Last Post: phmt
	Odd Guide Display Issue	kayleigh	1	1,565	2012-04-25, 11:13 PM Last Post: UncleJohnsBand
	Minor Issue - Channel Name Truncated by first 3 chars?	jksmurf	5	2,181	2011-07-04, 03:29 PM Last Post: UncleJohnsBand
	EWA whitescreen issue	SickBoy	1	1,476	2009-11-19, 11:14 PM Last Post: UncleJohnsBand