[Important security related] Disable Web UI listening on default port

[John Peterson]

This post is at https://github.com/mirror/utorrent/issues/5 (because of the reason in the topic "post location" at https://github.com/mirror/utorrent/issues/1)

[Ultima]

I don't understand the request. If you don't want to open a port to the Internet, then don't forward it. If you don't want to open WebUI to the Internet, then pick a port that isn't forwarded and use that as the alternative listening port.

[John Peterson]

This post is at https://github.com/mirror/utorrent/issues/5 (because of the reason in the topic "post location" at https://github.com/mirror/utorrent/issues/1)

[Ultima]

And? The default listening port still needs to be open for regular BitTorrent connections.

[John Peterson]

This post is at https://github.com/mirror/utorrent/issues/5 (because of the reason in the topic "post location" at https://github.com/mirror/utorrent/issues/1)

[Ultima]

Try connecting to WebUI on the default port then. Does it actually work?

[John Peterson]

This post is at https://github.com/mirror/utorrent/issues/5 (because of the reason in the topic "post location" at https://github.com/mirror/utorrent/issues/1)

[Ultima]

Certainly doesn't when I enable the alternative port. You probably have corrupted settings, or you've encountered a bug (which I doubt, considering I've tested various versions to confirm this). Or your browser is relying too heavily on its cache.

[John Peterson]

This post is at https://github.com/mirror/utorrent/issues/5 (because of the reason in the topic "post location" at https://github.com/mirror/utorrent/issues/1)

[Ultima]

2.2.1, 3.1.3, 3.2.

The point of the alternative listening port was exactly to prevent users simply looking at their peer list from randomly trying to connect to another user's WebUI.

[John Peterson]

This post is at https://github.com/mirror/utorrent/issues/5 (because of the reason in the topic "post location" at https://github.com/mirror/utorrent/issues/1)

[Ultima]

>curl -v -uadmin:1234567890 http://localhost:1234/gui/ -o test01.txt
* About to connect() to localhost port 1234 (#0)
*   Trying 127.0.0.1...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*
connected
* Connected to localhost (127.0.0.1) port 1234 (#0)
* Server auth using Basic with user 'admin'
> GET /gui/ HTTP/1.1
> Authorization: Basic YWRtaW46MTIzNDU2Nzg5MA==
> User-Agent: curl/7.25.0 (i386-pc-win32) libcurl/7.25.0 OpenSSL/0.9.8u zlib/1.2
.6 libssh2/1.4.0
> Host: localhost:1234
> Accept: */*
>
< HTTP/1.1 200 OK
< Connection: keep-alive
< Content-Length: 39932
< Content-Type: text/html
< ETag: "01CC7606C6DD039A"
< Set-Cookie: GUID=Qdbbjp5KfbBvphY37bSc; path=/
<
{ [data not shown]
100 39932  100 39932    0     0   311k      0 --:--:-- --:--:-- --:--:--  419k
* Connection #0 to host localhost left intact
* Closing connection #0

>curl -v -uadmin:1234567890 http://localhost:12345/gui/ -o test02.txt
* About to connect() to localhost port 12345 (#0)
*   Trying 127.0.0.1...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*
connected
* Connected to localhost (127.0.0.1) port 12345 (#0)
* Server auth using Basic with user 'admin'
> GET /gui/ HTTP/1.1
> Authorization: Basic YWRtaW46MTIzNDU2Nzg5MA==
> User-Agent: curl/7.25.0 (i386-pc-win32) libcurl/7.25.0 OpenSSL/0.9.8u zlib/1.2
.6 libssh2/1.4.0
> Host: localhost:12345
> Accept: */*
>
< HTTP/1.1 400 ERROR
< Connection: keep-alive
< Content-Length: 17
< Content-Type: text/html
<
{ [data not shown]
100    17  100    17    0     0    182      0 --:--:-- --:--:-- --:--:--   274
* Connection #0 to host localhost left intact
* Closing connection #0

Same setup.

[Ultima]

Nevermind, turns out I didn't test exactly as you did. I see that second serial request on the same connection seems to cause µTorrent to respond with data. Looks more like a bug report than a feature request to me.

>curl -v -uadmin:1234567890 http://localhost:12345/gui/ -o test02.txt htt
p://localhost:12345/gui/ -o test03.txt
* About to connect() to localhost port 12345 (#0)
*   Trying 127.0.0.1...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*
connected
* Connected to localhost (127.0.0.1) port 12345 (#0)
* Server auth using Basic with user 'admin'
> GET /gui/ HTTP/1.1
> Authorization: Basic YWRtaW46MTIzNDU2Nzg5MA==
> User-Agent: curl/7.25.0 (i386-pc-win32) libcurl/7.25.0 OpenSSL/0.9.8u zlib/1.2
.6 libssh2/1.4.0
> Host: localhost:12345
> Accept: */*
>
< HTTP/1.1 400 ERROR
< Connection: keep-alive
< Content-Length: 17
< Content-Type: text/html
<
{ [data not shown]
100    17  100    17    0     0    180      0 --:--:-- --:--:-- --:--:--   269
* Connection #0 to host localhost left intact
* Re-using existing connection! (#0) with host (nil)
* Connected to (nil) (127.0.0.1) port 12345 (#0)
* Server auth using Basic with user 'admin'
> GET /gui/ HTTP/1.1
> Authorization: Basic YWRtaW46MTIzNDU2Nzg5MA==
> User-Agent: curl/7.25.0 (i386-pc-win32) libcurl/7.25.0 OpenSSL/0.9.8u zlib/1.2
.6 libssh2/1.4.0
> Host: localhost:12345
> Accept: */*
>
< HTTP/1.1 200 OK
< Connection: keep-alive
< Content-Length: 39932
< Content-Type: text/html
< ETag: "01CC7606C6DD039A"
< Set-Cookie: GUID=EVwk1GGRFkp59NGArCdW; path=/
<
{ [data not shown]
100 39932  100 39932    0     0   829k      0 --:--:-- --:--:-- --:--:--  829k
* Connection #0 to host (nil) left intact
* Closing connection #0

Moved to Bug Reports forum.