Webcam security issue

Hi,
i figured out some serious webcam issue with Repetier Server (in my eyes). Webcams might be exposed to the public without the user is aware of. Webcam streams could contain information about private apartments of people, protected information regarding business or other things which nobody wants to show.

When accessing the tab "Webcam" to view an to a printer assigned webcam, the stream can be viewed from external hosts because there is no authentication required - normally "only" from LAN, but when running a webserver this needs to be set accordingly (found nothing in the documentation for nginx/apache yet). Even on LAN this might be some issue.

Please do a right click on the stream/image, e.g. https://repetier.somedomain.de/#!/printer/YourPrinterName/camera of the webcam to get the real URL revealed:

The URLs
return correctly json response "authorization" required.

I think the Repetier Server which deals with its own webserver on port 3344 should allow to set extra permissions for accessing webcam at the frontend. Maybe integrate this in #!/userconfig or in the webcam config tab itself.

Workaround when exposing over public ip addresses with reverse proxy is simple (you only need to know about it ...)

This is my apache2 config:
<VirtualHost *:443>
ServerName repetier.somedomain.de
ServerAdmin webmaster@somedomain.de
ErrorLog ${APACHE_LOG_DIR}/error-repetier.log
CustomLog ${APACHE_LOG_DIR}/access-repetier.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/somedomain.de.pem
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Content-Type-Options nosniff
Header unset X-Powered-By
Header set Referrer-Policy "origin-when-cross-origin"
Header always edit Set-Cookie (.*) "$1; HttpOnly; Secure"
Header set X-XSS-Protection "1; mode=block"
SSLCompression off
SSLSessionTickets Off
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://192.168.1.2:3344/ flushpackets=on Keepalive=On
ProxyPassReverse / http://192.168.1.2:3344/
RewriteEngine on
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
RewriteRule .* ws://192.168.11.2:3344/%{REQUEST_URI} [P]
ProxyPass /socket/ ws://192.168.1.2:3344/socket/ timeout=86400 Keepalive=On
ProxyPassReverse /socket/ ws://192.168.1.2:3344/socket/
<Location "/printer/cammjpg/*">
AuthType Basic
AuthName "Authentication Required"
AuthUserFile "/etc/apache2/htusers"
Require valid-user
</Location>
</VirtualHost>
regards, Mario




Comments

  • forgot the mention the required htpasswd user/password before. The webcams can the be accessed from external stream with special URL paramters: https://user:password@repetier.somedomain.de/printer/cammjpg/YourPrinterName?cam=0

  • In the correct solution your password trick would not be required. As you already pointed out the regular link already contains a session identifier. So I modified the query to require an authenticated session for the next release. That way even in intranet the regular link would not suffice. Thanks for pointing me to that problem.
Sign In or Register to comment.