Webcam security issue
Hi,
i figured out some serious webcam issue with Repetier Server (in my eyes). Webcams might be exposed to the public without the user is aware of. Webcam streams could contain information about private apartments of people, protected information regarding business or other things which nobody wants to show.
When accessing the tab "Webcam" to view an to a printer assigned webcam, the stream can be viewed from external hosts because there is no authentication required - normally "only" from LAN, but when running a webserver this needs to be set accordingly (found nothing in the documentation for nginx/apache yet). Even on LAN this might be some issue.
Please do a right click on the stream/image, e.g. https://repetier.somedomain.de/#!/printer/YourPrinterName/camera of the webcam to get the real URL revealed:
The URLs
return correctly json response "authorization" required.
I think the Repetier Server which deals with its own webserver on port 3344 should allow to set extra permissions for accessing webcam at the frontend. Maybe integrate this in #!/userconfig or in the webcam config tab itself.
Workaround when exposing over public ip addresses with reverse proxy is simple (you only need to know about it ...)
This is my apache2 config:
<VirtualHost *:443>
ServerName repetier.somedomain.de
ServerAdmin webmaster@somedomain.de
ErrorLog ${APACHE_LOG_DIR}/error-repetier.log
CustomLog ${APACHE_LOG_DIR}/access-repetier.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/somedomain.de.pem
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Content-Type-Options nosniff
Header unset X-Powered-By
Header set Referrer-Policy "origin-when-cross-origin"
Header always edit Set-Cookie (.*) "$1; HttpOnly; Secure"
Header set X-XSS-Protection "1; mode=block"
SSLCompression off
SSLSessionTickets Off
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://192.168.1.2:3344/ flushpackets=on Keepalive=On
ProxyPassReverse / http://192.168.1.2:3344/
RewriteEngine on
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
RewriteRule .* ws://192.168.11.2:3344/%{REQUEST_URI} [P]
ProxyPass /socket/ ws://192.168.1.2:3344/socket/ timeout=86400 Keepalive=On
ProxyPassReverse /socket/ ws://192.168.1.2:3344/socket/
<Location "/printer/cammjpg/*">
AuthType Basic
AuthName "Authentication Required"
AuthUserFile "/etc/apache2/htusers"
Require valid-user
</Location>
</VirtualHost>
Comments