#218 network_interface: http and udp port 1900 still listen to other interfaces, too

v1.0 (example)
open
nobody
5
2014-10-28
2013-11-17
Simon Hradecky
No

If the /etc/minidlna.conf contains a line e.g.

network_interface=eth1

or

network_interface=eth0

with more than one network card in the system (e.g. one connected to LAN, the other to the WAN), minidlna does not observe this restriction for the http side and udp port 1900, only for its main udp port. This could result in a serious breach of security if for example the other interface is exposed the WAN, the setting however restricts to the LAN only.

Netstat shows (http port set to 81):

netstat -nap | grep minid

tcp 0 0 0.0.0.0:81 0.0.0.0:* LISTEN 15073/minidlnad

udp 0 0 192.168.x.x:36151 0.0.0.0:* 15073/minidlnad

udp 0 0 0.0.0.0:1900 0.0.0.0:* 15073/minidlnad

It might be an idea to permit more than one network_interface being bound (e.g. lo,eth0).

Discussion

  • LISTEN ALL
    LISTEN ALL
    2014-10-28

    I discovered this behavior today.

    This could cause a security disaster in many situations.
    I don't understand why it's still not fixed despite being reported for almost a year.

    I don't think there is technical reason that requires listening to all interfaces.