[mythtv-users] MythTV web app security

Peter Bennett pb.mythtv at gmail.com
Tue Feb 25 20:03:30 UTC 2025 

By default the web app is not accessible outside your own subnet.

You can make it available by selecting "Listen on all IP Addresses" in 
setup and opening a port on your router, but it is not recommended.

I had a test backend open to the internet this way for 1 day and at 7:30 
AM somebody from Canada ran the web app and downloaded a bunch of 
recordings. I don't know how they figured out my ip address and to use 
port 6544.

To prevent this you can do the following, which I am now doing on the 
test backend. This is a low level of security which would not stop a 
determined hacker. This method only affects the web app. The service API 
still works as normal through port 6544. A savvy hacker could  use the 
service API to do everything that the web app does, but it would be much 
more work for them with little profit to be made.

use MYTHTVDIR=/usr or other location such as /usr/local where mythtv is 
installed, and HTML_PASSWD=some aplhabetic or numeric sequence.

MYTHTVDIR=/USR
HTML_PASSWORD=5085551212
if [[ "$HTML_PASSWORD" != "" ]] ; then
     # move index.html to <passsword>.html to prevent snooping
     if [[ -f $MYTHTVDIR/share/mythtv/html/apps/backend/index.html ]] ; then
         sudo mv -f $MYTHTVDIR/share/mythtv/html/apps/backend/index.html 
$MYTHTVDIR/share/mythtv/html/apps/backend/index-xxx.html
     fi
     # Remove old passwords (this example only removes numeric sequences)
     sudo rm -f $MYTHTVDIR/share/mythtv/html/*([0-9]).html
     # Add new password
     sudo cp -f $MYTHTVDIR/share/mythtv/html/apps/backend/index-xxx.html 
$MYTHTVDIR/share/mythtv/html/$HTML_PASSWORD.html
fi

Then invoke web app with http://<ip address>:6544/5085551212.html

Running http://<ip address>:6544 or http://<ip address>:6544/index.html 
gives a 404 error.

While running the web app this way do not use page refresh. That will 
give a 404 error. The web app navigates to URLs like http://<ip 
address>:6544/dashboard/program-guide . These cannot be used directly as 
they will give a 404 error. The only way to get into the web app is 
http://<ip address>:6544/5085551212.html and then use the links and 
buttons to navigate.

Peter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mythtv.org/pipermail/mythtv-users/attachments/20250225/4aaeb848/attachment.htm>

More information about the mythtv-users mailing list