peterw wrote: > I just wanted to say thanks to the pCP crew for adding the Security page > to the Beta web UI for 6.0! I do hope you'll promote that to the > mainstream admin UI, although I suggest you consider a few tweaks: > 1) add a Password Confirmation input on the httpd settings page > 2) add a note that the pCP settings will be saved as soon as the change > is applied (I expected that they would NOT be, that I would be able to > verify that I could still access the httpd and sshd after setting > passwords and just power cycle the Pi if I goofed somehow) > 3) incorporate CSRF protection into the web UI, at least Referer checks. > It seems too easy to use CSRF with mere GET requests to effect > significant changes on the pCP. Even those w/ authentication required > for the web UI are vulnerable to CSRF attacks. > > Thanks!
Hi peterw, Thanks for the feedback. I've added your requests to my list of things todo. Regarding #3, there was a forth page that didn't make it into production that disabled the http server (after a few minutes). I think, you can manually change GUI_DISABLE="0" in the pcp.cfg to a few minutes. The CLI setup command ($ setup) has the option to turn off the GUI but it is either on or off, no grace period after reboot. regards Greg ------------------------------------------------------------------------ Greg Erskine's Profile: http://forums.slimdevices.com/member.php?userid=7403 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 _______________________________________________ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
