[SECURITY FLAW] Web GUI exposed on WAN

[knightian]

Web GUI is exposed on WAN when port 80 and 443 forwarded and the device the ports are forwarded to is offline. There is no option to disable this behaviour in the GUI.

Device Model: TG789MYRvac v2 HP Gui Version: 9.6.50

Description of problem: The web GUI inteface has taken over my ports 80 and 443 when my device that would normally accept the connections on port 80 or 443 goes offline. Instead of going to my usual services at port 80 or 443, it exposes the Web GUI of the modem to the public.

I have spent time to go through all areas of the GUI and there seems to be no way to disable this behaviour.

Security risk.

[lorenzocanalelc]

I think it depends on the Device configuration, not directly on the GUI.

887

[knightian]

@lorenzocanale-LC Ah yes I see you found the same problem. I have direct mapping unlike you however, so I'm doing 80 -> 80 and 443 -> 443

It just hit me by surprise suddenly I was getting cert errors and I looked and I had a self signed Technicolor cert and then I noticed that my pi in the back end was offline. Turned it on and the ports are forwarded correctly but this is a security breach as if my pi goes offline it then exposes the modem to the public internets.

Also I am referencing by mac address not by IP address. I will try by IP and see if it solves for now. IP is static anyway so unsure why I chose to do it by MAC.

[knightian]

It does indeed appear that referencing an IP instead of a MAC address mitigates the problem for now.

[FrancYescO]

closing this for https://github.com/Ansuel/tch-nginx-gui/issues/887