Transmission

So I am using Transmission on my QNAP Nas (Love it)

I have found a security issue though and and keen on any tips to resolve.

Basically, if I enter my external IP address from anywhere and then "/transmission/" I can access the config page and change the settings.json config file.

I could change the password if i wanted to and potentially backdoor otter areas of the NAS from here.

So if my external ip address was 56.88.78.455 and i entered in http://56.88.78.455/transmission/ I am directed to the config page as per the attached screenshot:



https://photos.app.goo.gl/wwhFRSS1tnGkZA2n9

Is there any known way to prevent this access at all?

Setting a username & password is only applicable to the web GUI from what I understand (which I already have in place)


Thanks

The vanilla transmission-daemon should give you a 409 HTTP error code. My guess is that you are in the QNAP admin environment which might give you access to transmission settings. But how do you get authenticated for that environment? With a username+password perhaps?

killemov wrote:The vanilla transmission-daemon should give you a 409 HTTP error code. My guess is that you are in the QNAP admin environment which might give you access to transmission settings. But how do you get authenticated for that environment? With a username+password perhaps?

Thanks for the reply.

Basically, I can access that page from my work PC which is outside the QNAP admin environment.

This is my concern!

Any idea why this is happening?

Thanks

Have you logged in from that machine before? Maybe a cookie is keeping the authentication alive.
With the QNAP admin environment I mean an authenticated session and/or a specific path in the URL on the QNAP device.
I believe this is not a Transmission problem but a QNAP problem. Have you tried the QNAP forums?