RafaelSchridi
commented
7 years ago Shows an empty page for me.
Open bahbah opened 7 years ago
RafaelSchridi
commented
7 years ago Shows an empty page for me.
mescon
commented
7 years ago Hey!
While muximux doesn't contain perfect security by no means, this particular problem is a non-issue as far as I can tell. Can you show a proof of concept? Also, we encourage all users to always secure their installation with Basic Auth or other means of securing it.
I tried doing what you wrote, but the log file is not written to in this scenario.
Thanks for your report nevertheless.
d8ahazard
commented
7 years ago FWIW - I've already addressed this in the working codebase I've got local on my machine. Secret.txt is no longer, and the key is stored in the protected config file with other settings.
Just got a few more days on UI work, then I'll have these changes committed to the develop branch.
Hi,
I believe these URLs are open
http://[YourMuximux]**/secret.txt**
Using the value in that txt file, you can view the log: http://[YourMuximux]**/muximux.php?secret=XXXXX&action=log**
Or you can write to the log. Not sure what the size limit is here. I guess someone could exploit it and fill up your server with garbage. http://[YourMuximux]**/muximux.php?secret=XXXXX&action=writeLog&msg=Blah**
Cheers.