Is pwAdmin secure enough to open to the WAN

[R27]

I was just wondering if it is a wise idea to open pwAdmin to the WAN or not.

Taking a look at the source code it seems relatively secure where it compares the entered password/key to the one stored in pwadminconf.jsp

Code:

if(encode(request.getParameter("key"), MessageDigest.getInstance("MD5")).compareTo(iweb_password) == 0)
		{
			request.getSession().setAttribute("ssid", request.getRemoteAddr());
		}

But is there any way to bypass that like with XSS or getting the page to display the iweb_password variable.

I just want to know if it is a good idea to have the port for pwAdmin open to the WAN...

[MentaL]

[das7002]

XSS requires some kind of way to insert data into a database... (and only effects people who use it, does nothing to server)

To be honest I wouldn't let people know it exists at all, either block access to it so only your IP can see it via iptables or have the tomcat/w/e server listen only on localhost and use pwAdmin over an ssh tunnel...

[rbb138]

Simple answer is that since the source code is open to the public, no.

Easier to hack something if you know exactly how it works.

[NaMeLeS]

Simple answer is that since the source code is open to the public, no.

Easier to hack something if you know exactly how it works.

The source code seems relatively secure though.

I have been looking through it and so far I havn't found anything that could be exploited

[343]

simple and short answer

¤ NO ¤

(This is why I have pwAdmin on a totally separate port in my release [so users can still access things like "getgold" "getitem" or "guildicon" - yet NOT have access to pwAdmin])

[rbb138]

Yea its a really really bad idea.

For one thing its not brute force proof and has some areas without SQL injection checking. Not to mention some of the plugins simply have no protection at all.

[tbnanubis]

Thats the main reason i removed all pwAdmin protection and set up a security container for htaccess-like login check ;)

Well additionally it seals off iweb and all other services in one flush if you do it correctly :)

When you want to know how to do that, google for "jetty realm login" and you should find something. I suggest never opening that thing to your players.. use custom jsp and tunnel the real requests over some self-made php, masking the real jetty adress and ports.

[Zorno]

Its not. Problem is that pwAdmin is just secured with one single password. Using something like a brute force password thingy will open it up in seconds.