[mythtv] MythWeb
Paul Gardiner
lists at glidos.net
Thu Jan 30 13:02:40 UTC 2014
On 30/01/2014 12:51, Raymond Wagner wrote:
> On 1/30/2014 7:47 AM, Paul Gardiner wrote:
>> On 30/01/2014 10:56, Jean-Yves Avenard wrote:
>>> Didn't you read what I wrote earlier? You never present directly the
>>> service.
>>>
>>> You expose it via various methods: such as apache httpd proxy.
>>
>> Okay, I'm probably not understanding, but I'd assumed that would still
>> mean you are handling raw http requests, so a buffer overrun bug is
>> potentially exploitable to run a process. Does the proxy somehow
>> prevent that?
>
> Yes. The proxy would handle authentication. You never touch the backend
> unless you've already been authenticated.
But still, if someone learns your password, rather than just being able
to mess with your recordings, they may be able to exploit a bug to start
an arbitrary process on the server, right? With Mythweb, on the
otherhand the offender would need to find an apache or php exploit, and
those two systems have been patched against such exploits constantly for
many years.
This may not be important given the unlikeliness of someone with the
knowledge to do so being bothered to try, but I believe that's what
Jay was pointing out, and I'm just trying to establish whether it's
an issue, however small. I don't know, perhaps it's not an additional
weakness and such bugs can be exploited even via apache and php. Just
trying to understand.
P.
More information about the mythtv-dev
mailing list