Support > Remote Buddy Forum > Security // IOSPIRIT [EN]

Support

All support resources for our products. Here you can find answers to frequently asked questions, discuss with other users, recover a lost license code or file a support request.

Forum closed

This forum was closed and turned into an archive effective April 21, 2018. It is no longer possible to create new topics or reply to existing topics.

Thanks everyone for all the great questions and contributions over the years.

Please use the Contact form to get in touch.

Remote Buddy Forum

Overview

Author

Thread

User

10.02.2008 00:12:24

Security

View

This posting is older than 6 months and can contain outdated information.

Can someone tell me about the security issues with opening port 8888? I'm concerned this will opening a hole for hackers to access my data.

Thanks,

Todd

User

10.02.2008 15:57:02

Re: Security

View

This posting is older than 6 months and can contain outdated information.

Hello Todd,

Remote Buddy doesn't use an off-the-shelf server engine, so it also
can't be easily misconfigured. The server engine itself was developed
specifically for this application and always with security in mind.

All of the files it serves must be located in Remote Buddy.app/
Contents/Resources/WebRemote - or else a "404 Not Found" error is
printed. Special care is taken to make any (pretty classic) path
escape tricks like http://someurl/../../../../../etc/passwd
impossible. For requests that ask for files, the path is first mapped,
then transfered into a Mac OS X Carbon FSRef (which is basically just
a bunch of numbers identifiying a single filesystem object - bringing
it to a level where no escape tricks will work as no filesystem
location strings are involved anymore), then back into the full path
(which can no longer contain any path escape tricks), then matched
versus the permitted paths.

So, asking Remote Buddy for

http://ajaxremoteurl:8888/../../../../../etc/passwd

will do this:

1: Get the location of the file requested: /Applications/Remote
Buddy.app/Contents/WebRemote/../../../../etc/passwd

2: Transform into a Carbon FSRef: 1280912801 3479829834 283910923

3: Transform back into a path: /etc/passwd

4: Check the requested path

/etc/passwd

against list of allowed paths:

/Applications/Remote Buddy.app/Contents/WebRemote/

=> No match

5: Send response: Access denied / File not found

Plus access to the AJAX Remote's actual dynamic functionality - which
does currently not include access to files on your system - itself is
also password protected and forces you to define a password by default.

Running ANY service on ANY port on ANY system will always pose a
*theoretical* security risk IF someone finds a security hole in the
software AND is able to exploit it (=> especially hard on OS X which -
unlike many Windows versions - differentiates between executable
memory (containing executable code) and data memory (containing the
data a program works with - buffer overflows would usually happen
here) and does not allow any code to be executed in the latter memory
segments). It does not matter if that service is called Screen
sharing, Apache, AFP/SMB file sharing, P2P software or Remote Buddy.

It's the general risk of using the Internet - no matter for which
purpose or which services. Even the best firewall can't shield you
from unknown vulnerabilities of the browser you use.

Having said that, no vulnerabilities in RapidHTTPd (Remote Buddy's
AJAX Remote's server engine) are known.

Best regards,
Felix Schwarz

Remote Buddy
Support
1. Overview
2. Manuals
3. FAQs
4. Forums
1. Lost license code
2. Support inquiry
IOSPIRIT
1. About us
2. Blog
3. Labs
4. Developers
1. Contact
2. Press releases
3. Imprint
4. Jobs