bugmenot Posted May 24, 2009 Report Posted May 24, 2009 Hello again,I noticed that with a simple snippet like this:<img src="http://localhost:PORT/gui/?action=setsetting&s=max_ul_rate&v=0" />embedded into any website, anyone can change my upload rate (or the web UI password, for that matter).I'm currently in the process of coding a custom web UI, and I'm aware of the token system. In fact, I'm using it, but µTorrent (1.8.2) still seems to accept requests without a token.
Ultima Posted May 24, 2009 Report Posted May 24, 2009 That's because webui.token_auth is disabled by default. You'll find that, when enabled, requests without a token simply cause µTorrent to spit back "invalid request".
bugmenot Posted May 24, 2009 Author Report Posted May 24, 2009 Yes, that did the trick. Thanks for your help. Anyhow, is there a reason for this setting to be disabled by default? I don't see why anyone would want it to be off.
Ultima Posted May 24, 2009 Report Posted May 24, 2009 To maintain backwards compatibility with older WebUI projects that haven't been updated to support token authentication. I'm not sure what the status is for current projects and their support for token authentication, but I tend to agree that it should probably be enabled by default now. It's already been part of µTorrent for at least a year, so most projects that haven't been updated to support token authentication are likely abandoned. The only exception to that would be the bookmarklet by kentyman, which can't support token authentication due to its very nature -- I'm not sure what we should do about it with regards to token authentication.
jewelisheaven Posted May 24, 2009 Report Posted May 24, 2009 I.e. I think Ultima is saying 1.9 will have it enabled by default when deployed.
Ultima Posted May 24, 2009 Report Posted May 24, 2009 It'll depend on how many of the WebUI projects work with token authentication.Edit: Apparently, very few UIs work with it, still. A very sad and unfortunate state of affairs. I think I might just write a utility to replace Send2UTorrent and uTorrentHandler that supports token authentication properly instead of waiting for the unlikely chance that the (seemingly) abandoned projects will come back to life.In the end, I think the reason so many of the developers don't bother to support token authentication is directly because it's not enabled by default, so they think it's unimportant. On the contrary, it is important, and IMO, enough so that it's worth breaking abandoned projects just to keep users at least somewhat safer.Edit: Warning to developers is up.
Lord Alderaan Posted May 25, 2009 Report Posted May 25, 2009 In view of this I've updated the mirc script and the vbs move unlisted script.The Webui Shell already supported tokens. But 0.6.0 will also solve the issue with the webui.zip and maybe other Community Projects by inserting the token into requests that miss it (that is if a token was found earlier in the same session, so the project does need to open token.html or index.html at least once).
Recommended Posts
Archived
This topic is now archived and is closed to further replies.