aMule Bug Tracker - aMule
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0000955aMulePreferencespublic2006-08-29 10:192017-05-30 08:49
Reporterhramrach 
Assigned ToKry 
PriorityhighSeverityminorReproducibilityalways
StatusassignedResolutionopen 
PlatformOSOS Version
Product Version2.1.3 
Target VersionFixed in Version 
Fixed in Revision
Operating SystemAny
Summary0000955: add option to specify listening address for amuleweb
DescriptionIt is possible to specify an address on which amule(d) listens as ECServer but it is not possible to specify the address on which amuleweb listens.
Steps To Reproduce
Additional InformationCould be used to allow the web only on one interface of machines that have several interfaces, or to allow only local connections so that it is possible to connect only from localhost or through ssh tunnels.
Tagsconfigure, connection
Relationships
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2006-08-29 10:19hramrachNew Issue
2006-08-29 10:19hramrachOperating System => Any
2006-08-31 12:36KryStatusnew => assigned
2006-08-31 12:36KryAssigned To => Kry
2006-09-26 05:07KryPrioritynormal => high
2006-11-09 22:40pcmasterNote Added: 0002157
2006-11-09 22:40pcmasterNote Deleted: 0002157
2011-01-29 17:47bugmiNote Added: 0003534
2017-05-30 08:10uqbarNote Added: 0003702
2017-05-30 08:31uqbarNote Edited: 0003702bug_revision_view_page.php?bugnote_id=3702#r18
2017-05-30 08:35uqbarTag Attached: configure
2017-05-30 08:35uqbarTag Attached: connection
2017-05-30 08:49uqbarNote Edited: 0003702bug_revision_view_page.php?bugnote_id=3702#r19

Notes
(0003534)
bugmi   
2011-01-29 17:47   
Nothing yet? it would be really useful.
(0003702)
uqbar   
2017-05-30 08:10   
(edited on: 2017-05-30 08:49)
This is actually a major bug to be addressed asap.

It's a real bug as the amule.conf file has an ECAddress setting to limit the "external connections" address, but amuleweb is happily ignoring it and is not able to connect unless it's unset!

And it's a security bug as well. The web UI has no encryption (aka SSL) and opening a web UI over any network without encryption is a security nightmare.

Now, besides adding encryption, there's an easy solution: fix just this bug.

Let amuleweb listen on loopback only at any address from 127.0.0.1 to 127.255.255.254.
Then open an SSH TCP port forward/SOCKSv5 proxy from remote client to the amuleweb host.
This should add very strong encryption to amuleweb with just a tiny fix.

Maybe the offendig code is here:

file:src/sebserver/WebServer.cpp, line 285

        amuleIPV4Address addr;
        addr.AnyAddress();
        addr.Service(webInterface->m_WebserverPort);

it looks like it's setting the listening address to 0.0.0.0 .
What's hard to find to me (so far) is where it's connecting to for amuled.