clone weinre at apache

weinre - Security

Home - User Interface - Installing - Running - Multi-User - Security - Building - ChangeLog - License

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

About security for weinre: there is none.

Obviously there should be some. The question is, what do we need to do?

Background and potential exposures

Currently weinre uses plain old HTTP - not HTTPS - and provides no level of authentication for requests.

The primary security exposure with weinre is via the debug server.

Currently, the server only reads files from the weinre-node distribution, and from the ~/.weinre/ directory (for property files). The only thing the server writes to is stdout and stderr.

If you use the default --boundHost option value of localhost, then any software on the machine running the debug server can communicate with the debug server. This probably isn't a big deal, since presumably you control the software running on that machine.

If you use a non-default --boundHost option value, then any software on any machine that can access that specified host can communicate with the debug server. This is a much bigger deal.

The most obvious exposure with using --boundHost and a specific hostname / ip address, is that any debug client or debug target that can access that hostname / ip address can access the server. For example, a rogue debug client could connect to your debug target and fiddle about with it.

Other exposures include leaving a debug target injection script line (ie, <script src="[...]/target/target-script.js">) in your web page, and then that web page connects to a rogue debug server running at that address.

Future Implementation Ideas

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Home - User Interface - Installing - Running - Multi-User - Security - Building - ChangeLog - License