I’m using the latest version of volumio
When I access the web interface from a windows pc with Bitdefender Endpoint Security installed I get the following bitdefender message:
Your device is being used to conduct an attack attempt of type Exploit.CommandInjection.258. Please contact your system administrator.
In the console I get:
Failed to load resource: the server responded with a status of 403 (Bitdefender Endpoint Security Tools blocked this page)
The link it’s calling is:
http://192.168.0.70/{{::pluginComponent.pluginObj.host+ ’/albumart?sectionimage=%27+section.image}}
the full endpoint log is:
Detection details
THREAT INFO
Threat type:
Lateral movement
URL:
[HTTP://192.168.0.7/%7B%7B::pluginComponent.pluginObj.host+'/albumart?sectionimage='+section.image}](http://192.168.0.7/%7B%7B::pluginComponent.pluginObj.host+'/albumart?sectionimage=%27+section.image%7d)}
AFFECTED ENDPOINT
Endpoint name:
DESKTOP-678678678678678678
Endpoint type:
Workstation
IP:
Same/similar issue has been discussed in this thread
Every time I open Volumio (v3.449) on my pc, Bitdefender flashes up a security warning as follows:
“An attempt to inject a command towards your system through a dangerous URL was made by 192.168.x.xxx. We blocked the connection to prevent malicious commands from being executed on the device and across the network.”
The URL is obviously my NUC’s IP address but what is the command?
I can add an exception but I don’t know what Volumio is trying to do to trigger Bitdefender.
I’m not a techie so …
This is caused by a bug in Volumio UI. The offending code is this:
<img ng-if="!section.icon && section.image" src="{{::pluginComponent.pluginObj.host+\'/albumart?sectionimage=\'+section.image}}" class="section-image">
You are likely to see the warning from Bitdefender when browsing a plugin settings page.
Reason why this happens is, even if the ng-if
condition isn’t met because there is no section.image
(most plugin settings show icons in the section headings instead of images), the browser will still load the image’s src
, which in this case is an invalid URL that also appears to be unsafe according to Bitdefender.
I don’t know Angular JS which is what Volumio uses for its framework, but it seems the proper way to conditionally show img
elements is to use ng-src
instead of src
:
https://code.angularjs.org/1.5.0/docs/api/ng/directive/ngSrc
This behaviour is actually documented right at the beginning.
1 Like
Thanks for the hint! It’s now fixed (manifest only)
Please let us know (in future versions, if that’s still an issue)
Thanks @patrickkfkan !!!