Security Issue: Users can see each others data via the HTTP Downloads


#1

Another users opened a support topic regarding this but I thought it best to also put this into bug section.

It looks like permissions have not been set/not working through the HTTP downloads because you can switch to other user folders if you know the name.

For example of your usernames are like box1, box2, box3 etc you can simply name in the http address and it switches to that folder with no login prompt. Even master user.


#2

This is something we fixed a very long time ago and I cannot seem to reproduce this behavior. I will dig into this more later… although, I think this may be isolated to your install for some reason. We’ll see if myself or anyone else can reproduce this.

Also, it’s possible your browser is caching all those auths and simply allowing you to log back in without prompt. This is one reason I am building in database management for QuickBox login/logout auth and moving away from browser auth.


#3

Not just my install as the other user on forum has mentioned same issue. It’s happening on 2 Ubutnu 16.04 installs I have tested. I will check others as well as a Debian 8 install later.

I also tested via clean browser/no cookies/cache and was able to change to other users folder after logging into one so don’t think it’s a browser auth issue.


#4

Right, but the issue arises from the fact that you are logging into multiple accounts and your browsers database is storing them under your current sessions flow. This will not happen with other users as they are only logging into one session.

Can you confirm this if you clear your browser cache/history > login as a created user > then type the name of another users download directory?


#5

As I said in my previous reply, I have tested via a clean browser, no cookies or cache and it did exactly same. I logged into one user account, went to HTTP downloads link and then changed username and it directed me to that user and any other I tried.

EDIT: Checked again, different browser, different system, does exactly the same. Cleared browser cache and history via settings as well as CCleaner etc, nothing changes. I’m able to access any user from one login.

  1. Login to “user1” dashboard.
  2. Go to HTTP Downloads
  3. Edit username in URL to “user2”
  4. Browse their files.

#6

is user 1 a admin or just a user?


#7

This was fixed with the older, simple directory listing. h5ai has a completely different ruleset.

Just a note from the h5ai info page:

No web server specific things are supported, that includes access restrictions! Best chance to make restricted areas work and secure might be to place folder _h5ai completely inside that resticted area. Use it at your own risk!

We don’t restrict access to the dashboard based on user, therefore any user can access any sub-directory without limitation in the /srv/rutorrent/home folder.

A better setup would be to include _h5ai in each of the home directories and have apache continue to restrict access with the old configs.


#8

Just a normal user. Not the master user. You can login to any of the user account and then browse any other user account via http downloads.


#9

You’re right. I am a frigg’n stooge. I completely overlooked the fact that _h5ai overrules this. Good news is this. People can comment the line:

DirectoryIndex index.html index.php /_h5ai/public/index.php

located at /etc/apache2/apache2.conf – very bottom

and uncomment the line(s):

#Alias /USERNAME.rtorrent.downloads "/home/USERNAME/torrents/rtorrent/"

…and…

#Alias /USERNAME.deluge.downloads "/home/USERNAME/torrents/deluge/"

located at /etc/apache2/sites-enabled/aliases-seedbox.conf along with the individual users that were created.

More than likely I am just going to kill this feature and people can go back to installing as per the Wiki if they choose they want it.


#10

What does the above do?


#11

or we could have it be another option on install with a warning that people will most likely ignore lol.


#12

Is there no other secure http downloads that could be incorporated?


#13

It places back the default browser file directory and removes _h5ai.[quote=“ADz-83, post:12, topic:2944, full:true”]
Is there no other secure http downloads that could be incorporated?
[/quote]

Yes, follow my suggestion above. As @liza stated, this is an issue with _h5ai that will not honor these individual directories unless they are linked on a per user directory.


#14

@JMSolo I have not tested your fix yet on previous installed servers but I see the setup script has been updated to remove _h5ai and use standard file directory and the exact same security issue still remains. Login to one user and you have access to all :frowning:


#15

Is a fix being worked on for this @JMSolo, It seems new version has same issue with no authentication on http download folder as well? :frowning:


#16

This is not something that I can reproduce and it’s certainly not a high priority as again… QuickBox does utilize a multi-user feature, however, this is simply a courtesy that we include… our aim is not multi-user but to better the experience of the single user - the user renting the server. Feel free to review the config files and test a workable solution that fits best to your needs.


#17

I know this wouldn’t be a priority but I thought since http downloads is included in your project I thought it important to point out the security bug and assumed it would be something simple for you to update. I have no experience in the software unfortunately otherwise I would fix myself and provide edits for script. I know this project is geared towards single user but a lot of people will be using it for multiuser purpose for friends or commercial and in both cases this is kind of a big issue and potentially easy to fix for right person(s)?

To reproduce it’s simple as described earlier. You can do this on any setup with multiple accounts. Simply…

  1. Login to an account
  2. Visit the http download page
  3. edit the username in url with another username
  4. Load page/reload page

Doing the above will give you full access to any username folder you want. Example change “box1” to “box2” in URL and you will have access to box2, there is no prompt for logins.


#18

Why don’t you fix it? This is open source. You can fix it and do a pull request. I don’t think it’s QBs responsibilty to enhance this for commercial use. As a provider you should have in-house skills or can hire them to make it happen. This is making me want to cripple QB more and more for commercial purposes…Ala removing all multiuser abilities.


#19

@RXWatcher , I don’t see why you’re being so hostile? You seem to misunderstand me, This was not in any way made as a demand I simply created a bug report on forum and wondered if it would be looked at or not. I was not expecting or demanding anything and I was polite. I thought this was the point of the bug forum and forum in general to help out?

If I had the skills to fix and contribute I would gladly help out. Also I’m not some big provider/commercial company etc as you seem to think, it’s just a small project I’m doing, nothing more.

If I had the skills to contribute to code I would gladly do so. My contribution will be testing, checking for bugs and I will also be making more donations to project once have some spare funds.

Why do you feel the need to attack?

I apologise if I have come across as disrespectful in some way, that was certainly not my intent.


#20

I’m not attacking. I’m just getting tired of the obvious push to make this better suited for commercial use. We have even been moving that way with every user having access to install all apps and all users having their own internal Network so there isn’t any possible crosstalk however I think we need to step back and look at that. I don’t wish to be part of a project that is basically creating an industry off the backs of the people developing QB. There needs to be a way to break the commercial aspects off… Possibly making the core project only single user is one way. The new development will lend itself to incredible advances in seedboxes…Stuff unheard in the area now.