[mythtv] MythWeb

Paul Gardiner lists at glidos.net
Thu Jan 30 14:12:42 UTC 2014


On 30/01/2014 13:41, Raymond Wagner wrote:
> On 1/30/2014 8:02 AM, Paul Gardiner wrote:
>> On 30/01/2014 12:51, Raymond Wagner wrote:
>>> On 1/30/2014 7:47 AM, Paul Gardiner wrote:
>>>> On 30/01/2014 10:56, Jean-Yves Avenard wrote:
>>>>> Didn't you read what I wrote earlier? You never present directly the
>>>>> service.
>>>>>
>>>>> You expose it via various methods: such as apache httpd proxy.
>>>>
>>>> Okay, I'm probably not understanding, but I'd assumed that would still
>>>> mean you are handling raw http requests, so a buffer overrun bug is
>>>> potentially exploitable to run a process. Does the proxy somehow
>>>> prevent that?
>>>
>>> Yes. The proxy would handle authentication. You never touch the backend
>>> unless you've already been authenticated.
>>
>> But still, if someone learns your password, rather than just being able
>> to mess with your recordings, they may be able to exploit a bug to start
>> an arbitrary process on the server, right? With Mythweb, on the
>> otherhand the offender would need to find an apache or php exploit
>
> Nope.  Go into Settings, MythTV.  Modify one of the job queue commands.
> Run that job against one of the recordings.  There are plenty of other
> ways you can exploit a system through MythTV, even if MythTV is behaving
> as intended with no bugs.

Oh, that's an easy one. :-) Okay, I think I can safely shut up now.

Cheers,
	Paul.


More information about the mythtv-dev mailing list