Possible security issue with lightsquid?



  • Hi,

    Perhaps I am missing something in my configuration, but if I have pfsense exposed so that I can get to it remotely via the web interface:

    https://my.pfsense.com:8080

    …and then I go to a computer I have not yet signed into pfsense with and go directly to lightsquid:

    https://my.pfsense.com:8080/lightsquid/day_detail.cgi?year=2011&month=04&day=20  (for example)

    ....I get a page showing the list of machines and IP's.

    This should not happen, correct?

    Sorry if this has been discussed previously, maybe this is known behavior.

    Hm, I do see it mentioned before:

    http://forum.pfsense.org/index.php?topic=21832.0



  • Not sure, if it is a "bug" or not but lightsquid is an additional package and the maintainer of this package has to "fix" this.
    I had the same "problem" in the past, too.

    Further you could create a firewall rule and block this destination address.



  • vnstat is the same way, their front end requires no log in.


  • Rebel Alliance Developer Netgate

    That has always been the case, it's a known issue. If you don't want someone to access it, restrict it with firewall rules.

    Only pages on the pfSense router that include the authentication code will require authentication. Static files, image files, etc, are not protected.

    Some people have hacked the code that generates the lighty config to setup password-protected access for other directories, but it isn't something that has been done in the official code.



  • Makes sense to me in hindsight.

    I had assumed the gui was locked down in a more global fashion and was initially surprised that all my browsing history was potentially viewable without authentication.   Maybe that should be mentioned somewhere as a courtesy.  It wasn't initially obvious to me that this was the case, but I understand it in retrospect.

    Easy fix of course, I just disabled access to the gui from the WAN side, which I should have done from day one.



  • Wait, the package servers are listening to 0.0.0.0?  That I did not know – I assumed that the packages would bind to the lan address(es) only?

    Guess I have to do some testing, and make some more rules.  That is potentially a really nasty security hole.



  • It's only a security hole if you forget that pfSense is primarily a firewall - you're not supposed to be exposing it's services to the Internet ;)



  • I was initially surprised, but then realized that I shouldn't be.

    I think the problem is that users may not understand the scope of packages - where does pfsense stop and a package begin?

    It is easy to just make the assumption that everything on the machine is hidden and requires authentication via username / password combination.  I'm not suggesting that it needs dumbing down, just pointing out that the assumption I made can be made by others (case in point, the above post from Liath.WW).  I have no good ideas on how to make it more clear either, other than pedantic warnings everywhere.


Locked