µTorrent mUI

[Jinx]

It's been months and nobody has made a post regarding the mUI. Due to the strong evidence I've seen of some unclear intentions of the author, I feel I should warn any potential users of his site may result in your torrent data being known. I don't think this compromises system-wide security (provided you have an otherwise safe build of uTorrent), but nevertheless, as Determination mentioned, it is best to know who has your data and what they are doing with it.

In attempt to verify both the validity of the code and the author, I installed PHP on my Apache 2.0.x server and, not knowing any PHP, requested help from a friendly gentleman of ##PHP on Freenode IRC. I sent him the source.zip (file details below), and he sifted through the code for backdoors, and found none. He did remark at how messy the code was, and we both confirmed that, provided as is, it does not work. He was able to clean it up a bit, but every bug fixed exposed a new bug, and, as of yet, we were unable to get it working. This leads me to believe that releasing this particular source was meant to placate the users into believing there was nothing to hide, thereby getting people to trust his on-site login. Note that the source was not released until after mysyasir posted his own copy (which is no longer available at any of those URLs--perhaps he will repost the clean version).

I really don't know what the advantage to stealing uTorrent information would be, so it would be unfair for me to accuse the author of malicious intentions. However, his posts obviously seem as if he's not only excited about, but also nearly desperate for one to try out his software. He has not made working code available to the public, and he has ceased development on fixing any bugs that are in the code. This all yields suspicion on the part of the user.

Of course, I know there is now a good PHP API available, so perhaps it would smarter to simply re-write the code from scratch. The volunteer from IRC, upon seeing the PHP API, breathed a sigh of relief. I don't know if he will re-write the code or if someone else is already trying to, but I think we can all agree to hope for a clean/working Mobile UI in the near future. Thank you,

Jinx

Note: The source.zip tested was obtained from "www.utorrentmui.com" on 2008/04/08 and had the following hashes: MD5:F91C85E1C69B7F09CF88C7848B0AD586 CRC32:AF666CDD SHA1:01F5BD02DDDBE387F1A245AF6C57EDDCBED8033E

[Lord Alderaan]

Valid concerns indeed. Sadly there is NO way to be sure that mofle (or anyone else offering such a service) is not gathering user data. And the not working source is indeed suspicious because if he was using that source himself it should work. Also the lack of php knowledge mofle has displayed in the php api thread raises further concerns.

mofle I hope you can make the current source as-is and unmodified available to us as soon as possible. This won't remove our concerns but might give us some minor assurances.

But the advice to everyone using these kind of services is to always use logins and passwords you use nowhere else and to not use it to view/download/etc private data.

[mofle]

Just to clear up some stuff.

- I did not code µTorrent mUI, a freelancer did.

- I am not a PHP coder (i have absolutely no knowledge in PHP), I'm a designer.

- Myasir was helping me with some bugs, that i found after the original developer finished it. He took the code hostage, and wanted a lot more money than we had agreed on, if not he would release the code. And he did...

- If you don't trust it, you don't have to use it.

- You can also download it and have it on your own server, or start your own trustworthy web service with it.

- The code is both buggy and messy, sorry for that.

- I don't know yet why it doesn't work, it's work very well on my MAMP server at home, and µTorrent 1.7.7.

- If anyone want to make a better on, be my guest, i love to see a remote control with some quality.

- I originally had the µTorrent mUI made for personal use.

- I'm not gathering user data, nor did i ever intend too.

- µTorrent mUI will not be developed further, since the base code is just plain trash.

I'm sorry how it turned out, i had better hopes for it.

[jewelisheaven]

I do not wish to step on anyone's toes... however I must ask, if the source provided is actually the code running on utorrentmui.com ?

If not, could THAT code be provided so perhaps the maintainer of the site would get some input on making it cleaner / less resource hungry. It's my intuition spaghetti code is not as clean or compact as some of the proposed changes to the PHP WebUI for example... and if this is the case, why abandon this maintenence instead of making it better and at the same time assuaging these fears.

If there's nothing to hide, why run away from the light

[mofle]

Because the code is way to messy to do something with.

However, the code is available for downloading at the site.

I've added a way for you guys to check out the actual code running on the website

Please let me know if there is something else i can do.

www.utorrentmui.com

[Lord Alderaan]

"however I must ask, if the source provided is actually the code running on utorrentmui.com ?"

I must ask this same question. For example the source has no index.php file while your website is using that as default index page...

But Hell does it matter?! We don't have to even see the source. Since the forum submits a "GET" the login and password are stored in plain text in the server logs. He doesn't even NEED to send emails through the source...

When filling in login info on a server always assume the owner can get their hands on it. Its a matter of trust and danger.

How much trust do you have in the owner of the server (mofle in this case)?

How much danger is there if your login data leaks out?

If the password is only used for the webui the worst that could happen is them deleting your torrents and it's data.

If you use this password on other places then they might be able to get access to those if they track you down.

[jewelisheaven]

I understand. Checking it out, it does look like it could use some polish, but I think some input from the PHP API as well as other developer input may allow you to create the slimmer mobile UI 2.0

Sure there are countless interfaces, but I can imagine someone finding it easier to just login to their m.utorrentmui.com bookmark instead of using say the Flash UI

The view website source is at the bottom of the mainpage. It's not the same "download source" link

[mofle]

It doesn't matter.

µTorrent mUI is closed anyway...

www.utorrentmui.com

[Jinx]

Mofle: I apologize if I incited excessive suspicion against you. While there is cause for it, I do not claim to know what your intentions are. If you simply wanted to share a private set of code, then thank you. Either way, I think it's unwise to completely close your site. I apparently missed that small window of time in which you offered the source of the files on which the site is running (post 30 here). I would very much like to try it. If it works, that really takes away a lot of this suspicion. If not, it won't do any damage. Thank you,

Jinx

P.S: Jewelisheaven: If you were able to obtain the site source, please consider posting it. Thank you.

[mofle]

Source: www.utorrentmui.com/source.zip

[Lord Alderaan]

mofle: What I meant with my previous post wasn't that people shouldn't trust you. What I meant was that the source doesn't matter, it would be easy for you to log all those passwords simply because they would be stored in the webserver logfiles. And if people have been trusting you all these months the lack of a decent/correct source is not the reason they should stop trusting you now.

Also I haven't heard a single complaint about someone mysteriously losing all his torrents and data or anything else that might have been caused if you abuse the logins you could have collected. I think its sad to see the service go. If you removed it purely because of this stuff then I hope you consider putting it back up.

(Oh and maybe insert a little warning that, although you could, you would never store the usernames and passwords of users. And that you always recommend users to use a unique username and password that they don't use anywhere else. Honesty and good advice always incites a degree of trust in people.)

[Jinx]

As Lord Alderaan said, there haven't been any complaints regarding m.muitorrent.com. I was not at all suggesting you take it down--I actually encourage you to keep it up. Given proper warning, people have the right to decide if they wish to share their information with you.

My intentions were not to imply that you're deceiving anyone, I only wanted to warn people and try to incite you to release working code if you had not done so already. Ultimately, I think everyone here wants just that.

I've added a way for you guys to check out the actual code running on the website wink

The source.zip you linked to is the exact source that was available on via the site. I have tried running the PHP in that source.zip and cannot get it to work. When you said the above, I assumed you meant there was a new source.zip available with the exact code that is running on the site (since it is reported to run successfully). Please make that code available, or if it is the same somehow, let us know. Thank you,

Jinx

[Ultima]

Just tested the source code, and it (indeed) works...

[Jinx]

I stand corrected, then. From IRC, you (Ultima) stated you were running XAMPP. I am not. I don't know why other PHP files would work on my setup and not these, though I will be sure to investigate.

I owe you an apology, mofle. I assumed the code didn't work because of only two people who have tested it (myself and another). I thought surely had someone else tested it and had it working, they would have posted by now, but apparently no one else did until Ultima. Regardless, I'd like to hear what software/versions you are running on m.utorrentmui.com.

The whole security issue is still up for grabs, and, you must admit, the early accusations are cause for concern. Nevertheless, the code apparently works, which serves to vindicate your intentions. Again, I encourage you to put the site back up. No one here was calling for it to be taken down. We think it's great you are trying to contribute. Personally, I just get a little scared when there are largely unanswered accusations and (for a while) no confirmation on whether or not the source works.

We know now that the source does work, and hopefully I'll be able to get it to work for myself, too. Again, I apologize and hope you consider continuing work with respect to the mUI. Thank you,

Jinx

[mofle]

The source code provided in the .zip is the exact code that was running on the site. However, in the last few months it did not work for me, it only worked if i used it on my MAMP (XAMPP for Mac). If anybody has a good explanation for this, please let me know.

By the way, I have thought about taking the site down for a long time now, this isn't something just out of the blue.

I'm sure some of you PHP gurus can code a much better mUI in no time at all using the PHP API. And maybe, just maybe, the 1.8 version of µTorrent will bring a mobile UI to us too

[Ultima]

Random guess (since I'm no PHP guru): maybe it's because the PHP blocks start with "<?" instead of the usual "<?php", so some servers aren't parsing the file correctly?

Edit: http://en.wikipedia.org/wiki/PHP#Syntax

Wiki seems to indicate as much: some servers might have short tag parsing disabled.

[mofle]

I've just tried that, it's not it. Thanks anyway.

[Jinx]

2008/04/12 19:46EST Update:

Alright! I have finally been able to get the mUI working.

The first issue is with cURL. To get cURL to load properly, it was as simple as reinstalling PHP from the 5.2.5 MSI installer, and making sure to enable the extension. Apparently adding the extension manually involves some additional task that isn't well documented. The installer does it properly, however.

After getting cURL working, the code functions. There is one error in act.php which is the result of an inappropriate select-case structure where the default action was placed before the "default:" tag. Thanks goes to another friendly person from ##PHP on Freenode for getting that one. The error results in an infinite loop redirect, which Firefox detects (though I'm not sure about all browsers, esp. phone browsers). The action is still performed (the torrent is paused/resumed/stopped), so I suppose if your browser works fine (and you don't mind hitting back after each action), then you don't need to adjust anything. However, I really recommend editing the act.php file so that lines 22 and 23 are switched, else your server will probably throw up errors.

For those of you too lazy to edit the file, I will be serving act.zip for a little while on my server. The only real change is the switch of those lines (Actually I overwrote the blank line 24 with the contents of line 22, but that's kind of irrelevant). act.zip

Original Post as follows:

Well, other than the short tag parsing, I believe the error has to do with the cURL function. If you set "display_errors = On", then show.php will repeatedly output "Fatal error: Call to undefined function curl_init() in [drive]:\[path]\show.php on line 66".

I have tried numerous ways to get cURL to function on my Apache+PHP5 setup. I have not yet tried running it on XAMPP since I don't really want to change/import all my existing Apache settings. According to a lot of PHP posts I've read, enabling cURL should be as simple as uncommenting (or adding) a line of "extension=php_curl.dll" in the PHP.ini. (This assumes that the "extension_dir" directive is set properly.) Supposedly, PhpInfo() should then include a statement about cURL being loaded.

Personally, I've tried putting "php_curl.dll" in every directory I can think of (including system root, php root, apache root, and more), but to no avail. I've also tried changing the "extension_dir" directive to all sorts of combinations. It simply will not load cURL.

Another possible issue with loading cURL on WinXP are the files "ssleay32.dll" and "libeay32.dll". According to a few posts, those files must be in the System32 directory. Personally, I already had a previous version of them there (0.9.8d), but upgrading to the 0.9.8g (included with XAMPP) didn't help. (No, I'm not running XAMPP, I just took those DLLs from it.)

Once cURL works, I imagine the remainder of the code will work. If anyone can figure out how to get it functioning properly, please let me know. Thank you,

Jinx

[Lord Alderaan]

Looking forward to it.

[AlicanC]

I was looking for a script like this. I tried this one, but it didn't gave me enough control and code looked buggy so I coded a new mUI for myself. It uses cURL library like this one and works great with WampServer. I can release it if you are intrested.

[Jinx]

I have been working on fixing/improving some of the mUI code over the past week. I should note that I do not really know PHP, and was simply applying what programming I do know in PHP, looking up various functions in the online help, and querying the friendly people in the PHP channel on Freenode.

Below is the contents of the Readme.txt file. Please note that the "sorting" I refer to is simply a set of links that let you move around your list faster (using <a name> labels). The size of each grouping defaults to 10, but can be specified in the URL using &groupsize=<N> where <N> is a positive integer.

My domain's DNS has been resolving incorrectly recently, so Lord Alderaan volunteered to host the zip file for me. It is available here: http://cdlist.mine.nu/dump/uTorrent_PHP_mUI-0.0.1-Jinx.zip

Readme.txt:

As noted in the "show.php" file, the original developer of this code was Mofle. He decided not to continue it, so I tried to make it more usable. I started by fixing the settings page and adding some sorting. I also added the ability to add a torrent URL or file. I am working on a few more (minor) things, but this version should work pretty well. I hope you enjoy it. You are welcome to contact me. I am Jinx on the uTorrent forums, though I'd prefer if you contacted me via uTorrent's IRC (irc://irc.p2p-network.net/uTorrent-WebUI). Thank you.

~Jinx

Edit:

AlicanC: I left my browser on the post screen since this morning and thus didn't see your post before I submitted this. You are more than welcome to share your source. It's probably better than mine, and thus will likely irritate me a bit considering the late hours I've spent trying to figure out PHP (since no one else seemed capable/willing to do it), but, in the end, I'd much rather see a good/clean script have some benefit to the community. Please share.

[AlicanC]

LOL. I was looking at the page 1 so I thought this is not being developed anymore

I have just made a simple script to check what's going on with my N73. Unlike µTorrent mUI, my script is for user's computer, not a remote site. Ofcourse users can replace "127.0.0.1" with anything they want, but my aim is to keep things simple and fast.

http://b.imagehost.org/0535/2008-04-18_234937.jpg

[GLO]

Hi Jinx,

Its been pretty quiet on this thread, is there any more development on this webmui?

Thanks

edit: will it also let you remotely add new torrents to download?

[johndoe666]

I'm working on a similar app:

http://forum.utorrent.com/viewtopic.php?pid=419800#p419800

Let me know if you have any requests