Apache Basic Auth Bypass [SOLVED]

P

peshua19

Member
May 25, 2018
897
0
16
Hello,

I have noticed some problems with basic auth when using rutorrent under apache. For example if you go to rutorrent under Firefox and closes the user/pass basic auth dialog the UI will show, with no data from rtorrent, BUT it is possible to add torrents that will be passed to rtorrent, and if you have rss-plugin you could view your rss, add rss feeds, download torrents from rss feed and so on.

If you go to rutorrent under Chrome the auth dialog will show but the ui will load in the background showing no data from rtorrent but again, close the dialog and add torrents... Here is a print from Chrome:
http://i47.tinypic.com/1pi4k3.png

I don't know if this have been reported before or if it has been solved another way (diffrent auth settings in apache?), anyways seems like a big security risk.

FreeBSD 8.0
rtorrent 0.8.6
libtorrent 0.12.6
rutorrent 2.8
apache 2.2.14
Firefox 3.6 / IE 8.0 / Chrome 4.0.249.89

Apache auth:
Code: [Select]
SCGIMount /RPC2 127.0.0.1:5000

<Location /RPC2>
AuthName "Private"
AuthType Basic
AuthBasicProvider file
AuthUserFile /usr/local/etc/apache22/passwords
Require user beta
</Location>
Hope someone can help me find a solution for this smiley.gif

Thanks in advance!
 
S

saroos1

Member
May 25, 2018
718
0
16
the simple solution to this is to put auth on your main folder, not your rpc mount, then put the rpc mount INSIDE this folder.


The problem isn't wiht rutorrent, but your config.
 
P

peshua19

Member
May 25, 2018
897
0
16
Apache:
Code:
SCGIMount /usr/local/www/rutorrent/RPC2 127.0.0.1:5000

<Location /usr/local/www/rutorrent>
AuthName "Private"
AuthType Basic
AuthBasicProvider file
AuthUserFile /usr/local/etc/apache22/passwords
Require user beta
</Location>
rs.js:
Code:
XMLRPCMountPoint : "/usr/local/www/rutorrent/RPC2",
I can still bypass the login by closing the dialog and add torrents. Any ideas?
 
S

saroos1

Member
May 25, 2018
718
0
16
That is impossible if it is set up properly

Let me demonstrate what happens if you set it up right:




Like i said in my last post, put the auth on the actual rutorrent forum. If someone doesn't have the password, there is no WAY they can add a torrent.


I realize my screenshot is cherokee (i use cherokee because it's faster and more lightweight) but the same applies for apache, lighttpd, and nginx
 
P

peshua19

Member
May 25, 2018
897
0
16
Ok, solved it. Will post the solution if someone finds it useful some day.

Apache config:
Code:
SCGIMount /rutorrent/RPC2 127.0.0.1:5000

<Location /rutorrent>
AuthName "Private"
AuthType Basic
AuthBasicProvider file
AuthUserFile /usr/local/etc/apache22/passwords
Require user beta
</Location>

rs.js:
Code:
XMLRPCMountPoint : "/rutorrent/RPC2",
In my case /rutorrent is located in /usr/local/www, seems that it doesn't work if you specify the whole path for rutorrent-directory in apache config.

As wonslung said put the auth on the rutorrent dir and mount RPC inside the rutorrent dir.

2kmxvm.png

Hope this can help someone with same problem:)
 
You must log in or register to reply here.
Top Bottom