Comments (2)
kenkendk
commented on July 18, 2024
Context
It is a problem if someone can access the Duplicati-server.sqlite in some way, as they can extract the password for the UI.
Using the password, it is possible to perform all operations a valid user would do (delete, create new, change, etc), and this can be used to escalate access.
Mitigations
Permissions are set on Windows and Linux/MacOS to prevent unathorized access to the database, meaning that an attacker needs access to the system and the folder where the Duplicati-server.sqlite is stored.
In case the file is, for some reason, part of a backup, it can be obtained through the backup. Encryption on the backup will prevent access, granted that the passphrase is kept secret.
Background
The password mechanism used in Duplicati is designed to never send a token/password that can be used to grant access or reveal the password. In other words, the security is designed to prevent passive & active monitoring over the http-connection between the server (or tray-icon) and the browser.
The scheme works by accepting a nonce/salt (can be attacker chosen) and then hashing the password with this and returning the result. Even if the attacker chooses the salt, they can only obtain the hashed value and not perform MITM because the server will send a new nonce at later connection attempts.
For this scheme to work, the server needs to know the "password" that is used to access it. To avoid storing the actual password in the database, a hash of the password is stored. This is only done to hide a weak password and means that the hash is now the password. It is, however, only slightly better than storing the password clear-text.
Improvements
Given that the password is exchanged for an access token, any attacker listening could simply intercept the access token instead.
Ideally, it would be great if we could get TLS in, but this is hard to do securely for localhost, without exposing the user to a greater risk with an approved self-signed certificate.
An alternative to this is to encrypt values that are sensitive, such as the UI password, and store only the encrypted versions in the database. This requires a good mechanism for storing the database password, which should ideally be using the operating system keychain for this.
Encrypting the entire database is currently not an option for SQLite database, but another database could be used, as performance is non-essential for the settings.
from duplicati.
duplicatibot
commented on July 18, 2024
This issue has been mentioned on Duplicati. There might be relevant details there:
https://forum.duplicati.com/t/battle-plan-for-dropping-httpserver/18002/7
from duplicati.
Related Issues (20)
- Remove the `use-ssl` flag and logic HOT 4
- duplicati-2.0.8.1-2.0.8.1_beta_20240507 rpm package executables do not have the correct mode HOT 1
- Incompatible NuGet packages for .NET 8 HOT 2
- New special environment variable DUPLICATI_BACKUP_SOURCES HOT 1
- AWS S3 region eu-south-2 not recognized HOT 2
- Upgrade to v2.0.9.100_canary_2024-05-30 loses existing backup configs HOT 10
- Tray icon disappears when backup starts HOT 4
- Duplicati crashes when backup starts, with no logs HOT 4
- how to do full backups? HOT 2
- Compare backup returns zero when a folder is excluded HOT 1
- Upgrade from 2.0.8.1 or earlier to 2.0.9.100 with MSI breaks the install HOT 1
- If I lose some files in the Backup destination, can I recover the remaining files? HOT 1
- Does the latest version support remote subfolders? HOT 1
- Will the file name and directory name be encrypted with Encryption enabled ? HOT 4
- Rework the direct recovery process in the UI
- Improve direct restore speed HOT 12
- Improve recovery tool usecases HOT 2
- The Database Has Version 12 but the Largest Supported Version Is Version 10 (Update Problems) HOT 1
- TrayIcon Quit may cause icon to go away but leave Duplicati up
- No executable permissions on Fedora 40 HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from duplicati.