#218 network_interface: http and udp port 1900 still listen to other interfaces, too

[Simon Hradecky]

If the /etc/minidlna.conf contains a line e.g.

network_interface=eth1

or

network_interface=eth0

with more than one network card in the system (e.g. one connected to LAN, the other to the WAN), minidlna does not observe this restriction for the http side and udp port 1900, only for its main udp port. This could result in a serious breach of security if for example the other interface is exposed the WAN, the setting however restricts to the LAN only.

Netstat shows (http port set to 81):

netstat -nap | grep minid

tcp 0 0 0.0.0.0:81 0.0.0.0:* LISTEN 15073/minidlnad

udp 0 0 192.168.x.x:36151 0.0.0.0:* 15073/minidlnad

udp 0 0 0.0.0.0:1900 0.0.0.0:* 15073/minidlnad

It might be an idea to permit more than one network_interface being bound (e.g. lo,eth0).

[LISTEN ALL]

I discovered this behavior today.

This could cause a security disaster in many situations.
I don't understand why it's still not fixed despite being reported for almost a year.

I don't think there is technical reason that requires listening to all interfaces.

[Alfredo Esteban de la Torre]

I agree this is a very serious security bug. Maintainers, could you please take a look at the patch posted in this bug report ?

The patch doesn't works if the administrator specify more than one interface. It fallbacks to 0.0.0.0 if more than one interface is specified but this is much better than current behaviour.