Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GUEST access acts as a backdoor?!? #534

Closed
rodolfomatos opened this issue Jul 3, 2018 · 4 comments
Closed

GUEST access acts as a backdoor?!? #534

rodolfomatos opened this issue Jul 3, 2018 · 4 comments

Comments

@rodolfomatos
Copy link

rodolfomatos commented Jul 3, 2018
edited by OzzieIsaacs
Loading

Hello.
First, let me congratulate you for this project. It is a very cool endeavour indeed, and it shows that it has a lot of work on it.
I've just installed it in a Linux Mint using git & pip et al.
The configuration did not gave me an problems, except that had to create 2 files from scratch:
/lib/systemd/system/calibre.service
/etc/init.d/calibre

After that, everything was going smoothly. Changed the admin password, started creating some new users, even started uploading some pdf's and epub's that I have.

Then I started checking the configuration of the users that I had created. And realized that they had "jumped" one...
"admin" is user 1. Ok. But my user "rodolfo" was number "3". I did not created ANY previous user. So I checked the code.
And to my surprise, in "cps/ub.py" there is code for the creation of a "Guest" user with a password hard-coded: xxx

xxx as a password?!?! And THAT is not visible anywhere in the configuration process?!?

And THAT user has access to list ALL my books?!? I think I don't like that very much...

Even so, it would be nice to disable that "feature" altogether, don't you think?
@OzzieIsaacs
Copy link
Collaborator

Very stupid mistake, is fixed now.

@Technosoft2000, @CHBMB: There is a serious sequrity hole in all calibre-web versions. Everybody can login with a username guest and a very easy guessable password. I fixed it, and I want to encourage you to update the dockerversions if necessary. (I'm not sure if updating calibre-web in the docker container works?)
Special thanks to @rodolfomatos!

@saitoh183
Copy link

(I'm not sure if updating calibre-web in the docker container works?)

Yes it does

@Technosoft2000
Copy link

@OzzieIsaacs

Thanks for the info :)

@CHBMB
Copy link
Contributor

CHBMB commented Jul 3, 2018

@OzzieIsaacs No problem will get it sorted. Thanks for letting me know.

CHBMB added a commit to linuxserver-archive/docker-calibre-web-armhf that referenced this issue Jul 3, 2018
@CHBMB
Readme updated with note about vulnerability
6453b3f 
Push new build to remove this [vulnerability](janeczku/calibre-web#534)
@CHBMB CHBMB mentioned this issue Jul 3, 2018
Merged
CHBMB added a commit to linuxserver-archive/docker-calibre-web-arm64 that referenced this issue Jul 3, 2018
@CHBMB
Readme updated with note about vulnerability
318ac68 
Push new build to remove this [vulnerability](janeczku/calibre-web#534)
@CHBMB CHBMB mentioned this issue Jul 3, 2018
Merged
CHBMB added a commit to linuxserver/docker-calibre-web that referenced this issue Jul 3, 2018
@CHBMB
Readme updated with note about vulnerability
10286b3 
Push new build to remove this [vulnerability](janeczku/calibre-web#534)
@CHBMB CHBMB mentioned this issue Jul 3, 2018
Merged
@euri10 euri10 mentioned this issue Jan 3, 2019
Closed
trasba pushed a commit to trasba/docker-calibre-web-armhf that referenced this issue Apr 13, 2020
@CHBMB
Readme updated with note about vulnerability
96f6f70 
Push new build to remove this [vulnerability](janeczku/calibre-web#534)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@saitoh183 @rodolfomatos @Technosoft2000 @CHBMB @OzzieIsaacs