Bitdefender Endpoint reports error

danbuntu · May 23, 2023, 9:04am

I’m using the latest version of volumio

When I access the web interface from a windows pc with Bitdefender Endpoint Security installed I get the following bitdefender message:

Your device is being used to conduct an attack attempt of type Exploit.CommandInjection.258. Please contact your system administrator.

In the console I get:

Failed to load resource: the server responded with a status of 403 (Bitdefender Endpoint Security Tools blocked this page)

The link it’s calling is:

http://192.168.0.70/{{::pluginComponent.pluginObj.host+’/albumart?sectionimage=%27+section.image}}

the full endpoint log is:

Detection details
THREAT INFO

Threat type:
Lateral movement
URL:
[HTTP://192.168.0.7/%7B%7B::pluginComponent.pluginObj.host+'/albumart?sectionimage='+section.image}](http://192.168.0.7/%7B%7B::pluginComponent.pluginObj.host+'/albumart?sectionimage=%27+section.image%7d)}
AFFECTED ENDPOINT
Endpoint name:
DESKTOP-678678678678678678
Endpoint type:
Workstation
IP:

Wolfman74 · May 23, 2023, 9:21am

Same/similar issue has been discussed in this thread

patrickkfkan · May 23, 2023, 4:58pm

This is caused by a bug in Volumio UI. The offending code is this:

<img ng-if="!section.icon && section.image" src="{{::pluginComponent.pluginObj.host+\'/albumart?sectionimage=\'+section.image}}" class="section-image">

You are likely to see the warning from Bitdefender when browsing a plugin settings page.

Reason why this happens is, even if the ng-if condition isn’t met because there is no section.image (most plugin settings show icons in the section headings instead of images), the browser will still load the image’s src, which in this case is an invalid URL that also appears to be unsafe according to Bitdefender.

I don’t know Angular JS which is what Volumio uses for its framework, but it seems the proper way to conditionally show img elements is to use ng-src instead of src:

https://code.angularjs.org/1.5.0/docs/api/ng/directive/ngSrc

This behaviour is actually documented right at the beginning.

volumio · May 24, 2023, 11:10am

Thanks for the hint! It’s now fixed (manifest only)

Please let us know (in future versions, if that’s still an issue)

Thanks @patrickkfkan !!!