Page 1 of 3 123 LastLast
Results 1 to 10 of 27

Thread: security issue with iNEWA

  1. #1
    Join Date
    Sep 2008
    Location
    California
    Posts
    5,583

    security issue with iNEWA

    skippy_nz posted in the 2.5.5 announcement thread that he was able to bypass the security of iNEWA and go directly to the recordings list and delete shows without ever logging in. I tested it and first thought it was working fine, and reported same.

    However, on further testing I now see the problem:

    If the user goes to http://npvr:8866/mobile, it skips the login. I advertised that as a means to see the mobile site on a device not detected as mobile (such as a tablet like my HP TouchPad). This is obviously a pretty serious issue, though hopefully won't have any immediate consequence. I'm turning off external access to my NPVR box until this is fixed.
    NPVR Tech Support Sticky - - http://forums.gbpvr.com/showthread.p...612#post473612
    ---------------------------
    my config: NPVR 3.2.9/Win7Pro/Athlon II X3-440/radeon hd4550/hvr-2250/hvr-850/KWorld 315U/TimeWarner QAM & Analog, OTA ATSC/schedules direct

  2. #2
    Join Date
    Nov 2006
    Location
    Louisville, KY, USA
    Posts
    7,690
    You could also rename the mobile folder or just disable it.

  3. #3
    Join Date
    Sep 2008
    Location
    California
    Posts
    5,583
    yes, true, that would allow the regular NEWA to still operate securely while awaiting a fix for the mobile site.
    NPVR Tech Support Sticky - - http://forums.gbpvr.com/showthread.p...612#post473612
    ---------------------------
    my config: NPVR 3.2.9/Win7Pro/Athlon II X3-440/radeon hd4550/hvr-2250/hvr-850/KWorld 315U/TimeWarner QAM & Analog, OTA ATSC/schedules direct

  4. #4
    Join Date
    Sep 2008
    Location
    California
    Posts
    5,583
    sub has removed iNEWA from the 2.5.5 installer as of right now, so if you just now downloaded 2.5.5 and see this post, you're fine.
    NPVR Tech Support Sticky - - http://forums.gbpvr.com/showthread.p...612#post473612
    ---------------------------
    my config: NPVR 3.2.9/Win7Pro/Athlon II X3-440/radeon hd4550/hvr-2250/hvr-850/KWorld 315U/TimeWarner QAM & Analog, OTA ATSC/schedules direct

  5. #5
    Join Date
    Dec 2004
    Location
    West Yorkshire, UK
    Posts
    4,484
    Quote Originally Posted by johnsonx42 View Post
    I advertised that as a means to see the mobile site on a device not detected as mobile (such as a tablet like my HP TouchPad).
    Without wanting to hijack the thread but what do you mean about an HP TouchPad not being detected as mobile?

  6. #6
    Join Date
    May 2006
    Location
    Canada
    Posts
    20,740
    IMHO if you are connecting to NEWA via the Internet, you really should only connect to using a VPN anyway, it was never designed for the hackers on the Internet today.

    Martin

  7. #7
    Join Date
    Sep 2008
    Location
    California
    Posts
    5,583
    Quote Originally Posted by bgowland View Post
    Without wanting to hijack the thread but what do you mean about an HP TouchPad not being detected as mobile?
    when I tested it on my webOS phone, the mobile site came up right away. On the TouchPad I got the full NEWA... Some may prefer this, so I'm not calling it a bug, but I just wanted the simple interface.
    NPVR Tech Support Sticky - - http://forums.gbpvr.com/showthread.p...612#post473612
    ---------------------------
    my config: NPVR 3.2.9/Win7Pro/Athlon II X3-440/radeon hd4550/hvr-2250/hvr-850/KWorld 315U/TimeWarner QAM & Analog, OTA ATSC/schedules direct

  8. #8
    Join Date
    Sep 2005
    Location
    Lower Hutt, NZ
    Posts
    4,888
    Quote Originally Posted by mvallevand View Post
    IMHO if you are connecting to NEWA via the Internet, you really should only connect to using a VPN anyway, it was never designed for the hackers on the Internet today.

    Martin
    Unless its a PPTP VPN....
    AMD FM1 x4 A8-3870 Llano, Gigabyte GA-A75-D3H, 4 Gb DDR3 Ram, Seagate 500 Gb, Seagate 1500 Gb, HVR3000 x 2 (DVB-S), Nova-T 500 (DVB-T), USB-Uirt, SPDIF -> Yamaha RX-V540, ATI HD6550 (OnBoard) > Samsung LA46A650 TV (HDMI), Harmony Remote 525
    Windows 7 Ultimate x64 SP1, NPVR 2.4.3, AC3Filter, 1 x Popcorn Hour A-100, 1 x AppleTV with Plex

  9. #9
    Join Date
    Sep 2008
    Location
    California
    Posts
    5,583
    Quote Originally Posted by mvallevand View Post
    IMHO if you are connecting to NEWA via the Internet, you really should only connect to using a VPN anyway, it was never designed for the hackers on the Internet today.

    Martin
    Well I certainly wouldn't argue against that as being ideal, but it's simply not practical for most users. We just have to hope the NEWA web engine itself is secure enough to ward off automated attacks and casual hacks; it's not like a random PVR box would be a target for a serious hacking effort.
    NPVR Tech Support Sticky - - http://forums.gbpvr.com/showthread.p...612#post473612
    ---------------------------
    my config: NPVR 3.2.9/Win7Pro/Athlon II X3-440/radeon hd4550/hvr-2250/hvr-850/KWorld 315U/TimeWarner QAM & Analog, OTA ATSC/schedules direct

  10. #10
    Join Date
    Sep 2008
    Location
    California
    Posts
    5,583
    I was starting to wonder why we've had no comment from UJB or fjbpchristiaens on this, but their profiles show neither has been on since last week.
    NPVR Tech Support Sticky - - http://forums.gbpvr.com/showthread.p...612#post473612
    ---------------------------
    my config: NPVR 3.2.9/Win7Pro/Athlon II X3-440/radeon hd4550/hvr-2250/hvr-850/KWorld 315U/TimeWarner QAM & Analog, OTA ATSC/schedules direct

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •