security issue with iNEWA

**johnsonx42** · 2012-08-07, 08:11 PM

skippy_nz posted in the 2.5.5 announcement thread that he was able to bypass the security of iNEWA and go directly to the recordings list and delete shows without ever logging in. I tested it and first thought it was working fine, and reported same.

However, on further testing I now see the problem:

If the user goes to http://npvr:8866/mobile, it skips the login. I advertised that as a means to see the mobile site on a device not detected as mobile (such as a tablet like my HP TouchPad). This is obviously a pretty serious issue, though hopefully won't have any immediate consequence. I'm turning off external access to my NPVR box until this is fixed.

**whurlston** · 2012-08-07, 08:31 PM

You could also rename the mobile folder or just disable it.

**johnsonx42** · 2012-08-07, 08:33 PM

yes, true, that would allow the regular NEWA to still operate securely while awaiting a fix for the mobile site.

**johnsonx42** · 2012-08-07, 09:28 PM

sub has removed iNEWA from the 2.5.5 installer as of right now, so if you just now downloaded 2.5.5 and see this post, you're fine.

**bgowland** · 2012-08-07, 10:14 PM

Originally Posted by johnsonx42

I advertised that as a means to see the mobile site on a device not detected as mobile (such as a tablet like my HP TouchPad).

Without wanting to hijack the thread but what do you mean about an HP TouchPad not being detected as mobile?

**mvallevand** · 2012-08-07, 10:15 PM

IMHO if you are connecting to NEWA via the Internet, you really should only connect to using a VPN anyway, it was never designed for the hackers on the Internet today.

Martin

**johnsonx42** · 2012-08-07, 11:07 PM

Originally Posted by bgowland

Without wanting to hijack the thread but what do you mean about an HP TouchPad not being detected as mobile?

when I tested it on my webOS phone, the mobile site came up right away. On the TouchPad I got the full NEWA... Some may prefer this, so I'm not calling it a bug, but I just wanted the simple interface.

**psycik** · 2012-08-08, 12:12 AM

Originally Posted by mvallevand

IMHO if you are connecting to NEWA via the Internet, you really should only connect to using a VPN anyway, it was never designed for the hackers on the Internet today.

Martin

Unless its a PPTP VPN....

**johnsonx42** · 2012-08-08, 02:05 AM

Originally Posted by mvallevand

IMHO if you are connecting to NEWA via the Internet, you really should only connect to using a VPN anyway, it was never designed for the hackers on the Internet today.

Martin

Well I certainly wouldn't argue against that as being ideal, but it's simply not practical for most users. We just have to hope the NEWA web engine itself is secure enough to ward off automated attacks and casual hacks; it's not like a random PVR box would be a target for a serious hacking effort.

**johnsonx42** · 2012-08-08, 02:08 AM

I was starting to wonder why we've had no comment from UJB or fjbpchristiaens on this, but their profiles show neither has been on since last week.

Thread: security issue with iNEWA

Thread Tools

Display

security issue with iNEWA

Posting Permissions