[mythtv] MythWeb

Raymond Wagner raymond at wagnerrp.com
Thu Jan 30 13:41:49 UTC 2014

On 1/30/2014 8:02 AM, Paul Gardiner wrote:
> On 30/01/2014 12:51, Raymond Wagner wrote:
>> On 1/30/2014 7:47 AM, Paul Gardiner wrote:
>>> On 30/01/2014 10:56, Jean-Yves Avenard wrote:
>>>> Didn't you read what I wrote earlier? You never present directly the
>>>> service.
>>>> You expose it via various methods: such as apache httpd proxy.
>>> Okay, I'm probably not understanding, but I'd assumed that would still
>>> mean you are handling raw http requests, so a buffer overrun bug is
>>> potentially exploitable to run a process. Does the proxy somehow
>>> prevent that?
>> Yes. The proxy would handle authentication. You never touch the backend
>> unless you've already been authenticated.
> But still, if someone learns your password, rather than just being able
> to mess with your recordings, they may be able to exploit a bug to start
> an arbitrary process on the server, right? With Mythweb, on the
> otherhand the offender would need to find an apache or php exploit

Nope.  Go into Settings, MythTV.  Modify one of the job queue commands.  
Run that job against one of the recordings.  There are plenty of other 
ways you can exploit a system through MythTV, even if MythTV is behaving 
as intended with no bugs.

More information about the mythtv-dev mailing list