Subsonic Forum

[sweetsweet]

Hello I am French I have a little English I apologize in advance.

I have a question the safety of SubSonic, SubSonic is it you secure by default?.
As soon as I changed the default password, there is nothing else to do?, No risk for SQL injection? The Jetty server is configured to be secure? or no?. I risk nothing to use it on my VPS?.

Cordially.

Bonjour je suis Français j'ai un petit Anglais veuillez m'excuser d'avance.

J'ai une question au sujet de la sécurité de SubSonic, SubSonic est t'il sécurisé par défaut ?.
À partir du moment que j'ai changé le mot de passe par défaut, il y a rien d'autre à faire ?, aucun risque concernant les injections SQL ?, le server Jetty est configuré pour être sécurisé ? ou pas du tout ?. Je risque rien à l'utiliser sur mon VPS ?.

Cordialement.

[GJ51]

No major security problems have been reported. Minor issues raised by users are addressed promptly by the developer. I am not aware of anyone reporting that they have had a system compromised by using Subsonic.

[hakko]

The major problem (in my view) is that passwords are sent in clear-text (or close to) by the various apps that are available as part of the URL scheme. This makes passwords very easy to eaves-drop for somebody with a certain degree of knowledge.

The second major problem is that Subsonic stores all user details in clear-text (or close to), both login passwords and last.fm passwords together with email addresses. Since many people use the same password on different sites, this is of course unacceptable. I've addressed this issue in my Subsonic mod so that passwords are instead stores as salted hash sums. I've made this publicly available for Sindre to use but no response.

The third major problem is that Subsonic uses a four year old security framework called Acegi. Exploits have been reported for this. I've addressed this issue as well in my Subsonic mod, updating to the latest version of Spring security which is the successor of Acegi. I've made this publicly available too but no response.

The fourth major problem is that Subsonic is configured to run as root on non-windows installs (haven't checked permissions for Windows) which would give an intruder completely free hands to do whatever she/he wants to.

The fifth problem is that SSL isn't turned on by default, so even normal logins are quite possible to eavesdrop even if it's harder than wire-tapping the apps speaking to your server.

I'd say you obviously run a risk when you install software accepting connections from foreign machines. Not even that, software that allows users to configure which part of your hard drive to read files from, upload new files to your computer, and to execute commands. How could you not say you're running a risk?

If you want to learn more, read the Subsonic source code and make up your mind on whether it feels safe or not.

Minor issues raised by users are addressed promptly by the developer.

I wish this was true... but what about viewtopic.php?f=3&t=5996 ?

[sweetsweet]

Thank you for your answers.

@GJ51
You intend to solve problems that were mentioned by @Hakko ?.

Cordially.

[GJ51]

No, I don't write the program.

Although Hakko highlights potential security weaknesses, that addmittedly are above my paygrade, the fact remains that the thousands of users here in the forums have never reported a security breach on their Subsonic installations.

Regardless, those concerns can be minimized by running Subsonic on an isolated server or in a virtual machine and using a unique password for you admin account.

If that still doesn't satisfy your concerns, then you probably won't be comfortable with Subsonic and should not use it.

Regards

[sweetsweet]

Thank you for your answers.