Security surrounding config / admin center page- help!

Discussion of the Web Interface for Transmission, formerly known as Clutch. This applies to all version of Transmission
Post Reply
elpirate
Posts: 2
Joined: Thu Feb 14, 2019 11:03 am

Security surrounding config / admin center page- help!

Post by elpirate »

So I am using Transmission on my QNAP Nas (Love it)

I have found a security issue though and and keen on any tips to resolve.

Basically, if I enter my external IP address from anywhere and then "/transmission/" I can access the config page and change the settings.json config file.

I could change the password if i wanted to and potentially backdoor otter areas of the NAS from here.

So if my external ip address was 56.88.78.455 and i entered in http://56.88.78.455/transmission/ I am directed to the config page as per the attached screenshot:

Image

https://photos.app.goo.gl/wwhFRSS1tnGkZA2n9

Is there any known way to prevent this access at all?

Setting a username & password is only applicable to the web GUI from what I understand (which I already have in place)


Thanks
killemov
Posts: 535
Joined: Sat Jul 31, 2010 5:04 pm

Re: Security surrounding config / admin center page- help!

Post by killemov »

The vanilla transmission-daemon should give you a 409 HTTP error code. My guess is that you are in the QNAP admin environment which might give you access to transmission settings. But how do you get authenticated for that environment? With a username+password perhaps?
elpirate
Posts: 2
Joined: Thu Feb 14, 2019 11:03 am

Re: Security surrounding config / admin center page- help!

Post by elpirate »

killemov wrote:The vanilla transmission-daemon should give you a 409 HTTP error code. My guess is that you are in the QNAP admin environment which might give you access to transmission settings. But how do you get authenticated for that environment? With a username+password perhaps?
Thanks for the reply.

Basically, I can access that page from my work PC which is outside the QNAP admin environment.

This is my concern!

Any idea why this is happening?

Thanks
killemov
Posts: 535
Joined: Sat Jul 31, 2010 5:04 pm

Re: Security surrounding config / admin center page- help!

Post by killemov »

Have you logged in from that machine before? Maybe a cookie is keeping the authentication alive.
With the QNAP admin environment I mean an authenticated session and/or a specific path in the URL on the QNAP device.
I believe this is not a Transmission problem but a QNAP problem. Have you tried the QNAP forums?
Post Reply