http Web Interface-restrict 'Open File' to specific location
Posted: 19 Mar 2011 01:23
When the http Web Interface is being added to the VLC media player, it is possible, to remotely control VLC from inside a LAN or over the Internet, using a web browser.
The Web Interface gives access from a remote computer to all files on all drives, folders and subfolders on the machine, running VLC media player.
To see this behaviour, open the IP-Address corresponding to the VLC Web Interface inside a web browser. From the control menu click at the "open button" and inside the "Open File" dialog, click at the "Browse" button. Inside the popup window, you can access all files on all drives and inside all directories of the computer running VLC media player.
It is even possible, to access files on all shared devices that are reachable from the machine, running VLC media player.
To see this behaviour, inside the "Open File" dialog, into the "Input (MRL) field key in any desired shared directory that is accessible inside the LAN (for example "\\server\directory") and click on "Play". All files of the directory structure will be placed into the playlist and the VLC media player starts playing the playlist from the beginning.
The described behaviour is a huge security issue, as in common LAN environments several computers (and also several users) can have access to the running VLC Web Interface. In case, the user grants access to the VLC Web Interface from outside the LAN in order to controll the VLC media player over the Internet, the described behaviour might become an open door to the whole LAN-Network from the Internet.
My suggestion of change is, to implement a functionality to define, which shared device(s), drive(s), folder(s), subfolder(s), file(s) and file-type(s) shall be remotely accessible using the VLC Web Interface.
The VLC Web Interface is becoming more and more popular, as it is the underlying technology for remote applications like "VLC-Remote" or "VLC Stream & Convert" for Android devices and several more. None of these devices (as far as I know) allow to define a password protected access to the VLC Web Interface. But using the Web Interface without passwort protection means an open door to all files of the computer and possibly the whole LAN-Network.
Any comments are very welcome
Klaus
The Web Interface gives access from a remote computer to all files on all drives, folders and subfolders on the machine, running VLC media player.
To see this behaviour, open the IP-Address corresponding to the VLC Web Interface inside a web browser. From the control menu click at the "open button" and inside the "Open File" dialog, click at the "Browse" button. Inside the popup window, you can access all files on all drives and inside all directories of the computer running VLC media player.
It is even possible, to access files on all shared devices that are reachable from the machine, running VLC media player.
To see this behaviour, inside the "Open File" dialog, into the "Input (MRL) field key in any desired shared directory that is accessible inside the LAN (for example "\\server\directory") and click on "Play". All files of the directory structure will be placed into the playlist and the VLC media player starts playing the playlist from the beginning.
The described behaviour is a huge security issue, as in common LAN environments several computers (and also several users) can have access to the running VLC Web Interface. In case, the user grants access to the VLC Web Interface from outside the LAN in order to controll the VLC media player over the Internet, the described behaviour might become an open door to the whole LAN-Network from the Internet.
My suggestion of change is, to implement a functionality to define, which shared device(s), drive(s), folder(s), subfolder(s), file(s) and file-type(s) shall be remotely accessible using the VLC Web Interface.
The VLC Web Interface is becoming more and more popular, as it is the underlying technology for remote applications like "VLC-Remote" or "VLC Stream & Convert" for Android devices and several more. None of these devices (as far as I know) allow to define a password protected access to the VLC Web Interface. But using the Web Interface without passwort protection means an open door to all files of the computer and possibly the whole LAN-Network.
Any comments are very welcome
Klaus