gnump3d offers a security setting involving a username:password combination that can be easily bypassed. Reproducible: Always Steps to Reproduce: 1. Connect to gnump3d webserver with the password security option enabled and a file called .password in the main directory your music files are saved in. 2. When it asks for a username and password, click cancel. The server will tell you that you've been denied. 3. Click 'search', and type in a search term that will give results based upon your music library. Actual Results: The server allows you to download and/or stream music to you based upon your preferences or server settings, bypassing the username/password security setting. Expected Results: You shouldn't be able to browse or download music without presenting the proper credentials. It should deny anyone who does not give a proper username and password combination Works with all browsers.
Thanks for your report James. Did you discovered this issue? Have you contacted upstream about it?
(In reply to comment #1) > Thanks for your report James. Did you discovered this issue? Have you contacted > upstream about it? > I did discover it. After my logfile quadrupled overnight, I noticed someone (resolved to a Korean ip) downloaded most of my library overnight. Noticing that they didn't use a username/password, I simply clicked 'cancel' when firefox asked me for them, and I had full access. :x As for upstream, I have emailed steve (at) steve.org.uk, the contact email for the author of gnump3d, but as of yet, I have not received a response.
(In reply to comment #2) > (In reply to comment #1) > > Thanks for your report James. Did you discovered this issue? Have you contacted > > upstream about it? > > > > I did discover it. After my logfile quadrupled overnight, I noticed someone > (resolved to a Korean ip) downloaded most of my library overnight. Noticing > that they didn't use a username/password, I simply clicked 'cancel' when > firefox asked me for them, and I had full access. :x > > As for upstream, I have emailed steve (at) steve.org.uk, the contact email for > the author of gnump3d, but as of yet, I have not received a response. > OK, so we'll wait a few days so that they can patch this. Just a note: please don't modify the bug fields once they've been set or corrected by a developer ;)
(In reply to comment #3) > (In reply to comment #2) > > (In reply to comment #1) > > > Thanks for your report James. Did you discovered this issue? Have you contacted > > > upstream about it? > > > > > > > I did discover it. After my logfile quadrupled overnight, I noticed someone > > (resolved to a Korean ip) downloaded most of my library overnight. Noticing > > that they didn't use a username/password, I simply clicked 'cancel' when > > firefox asked me for them, and I had full access. :x > > > > As for upstream, I have emailed steve (at) steve.org.uk, the contact email for > > the author of gnump3d, but as of yet, I have not received a response. > > > > OK, so we'll wait a few days so that they can patch this. > Just a note: please don't modify the bug fields once they've been set or > corrected by a developer ;) > I'm not sure how I messed that up. Sorry :x
James, any news from upstream?
From upstream ChangeLog: 3.0 [ 17th October 2007] - Removed several perl warnings. - Removed password protection as being broken beyond repair. No security is better than bad security. Sound, can you provide an updated ebuild?
(In reply to comment #7) > From upstream ChangeLog: > > 3.0 [ 17th October 2007] > - Removed several perl warnings. > - Removed password protection as being broken beyond repair. > > No security is better than bad security. > Sound, can you provide an updated ebuild? > *ping*
Sound, please bump.
Sorry.. I'll _try_ to get it today. So much to do, so little time ;)
bumped, sorry for the delay
Thanks. Arches, please test and mark stable media-sound/gnump3d-3.0. Target keywords : "alpha amd64 ppc64 sparc x86"
ppc64 stable
x86 stable
alpha/sparc stable
amd64 stable
This issue was only introduced in the 2.9final release (bug 182814) which hit the tree 05 Aug 2007 and never went stable. Closing [noglsa] therefore.
Does not affect current (2008.0) release. Removing release.