tavoc

The same goes with KeePass. Runs nice on 2 Windows and 3 Android Devices.

How about adding SH-4 (SuperH4). Would be really nice to run this on my stream Boxes.

I didnt want to scare away people from using BTsync, because it is a great idea. I wanted only to point out, that your security relies on your choosen basic authentification. Therefore you should choose a strong one. For now I would not recommend to forward the ports. As far as I have looked android and windows package is not affected, because there is no webgui (or I need to look more closely). By the way: Is there a way to report vulnerabilities for btsync (I have still a few ideas).

This is only a backdoor, if your choosen credentials are weak. e.g. admin/admin or root/root and so on. But yes, this should be fixed, because a bruteforce attack on your credentials is more likely. Maybe a system like denialhosts would be good. After 3-4 bad login requests the port goes down for this ip.

Thanks, btw: with 1.1.69 it is the same.

Ok, but then the default package has the wrong settings (for SSL). For the WebGUI: If I bind it on localhost (listen=127.0.0.1:8888) it wont be really usefull on a headless server or NAS, because you cant access it. The only way would be by some SSH Port forwarding with putty. If i bind it to an local IP (192.168.1.2) it would not fix the problem if i forward the port 4321 from my router to the box. Because then you can still open externalIP:4321/gui But why is the GUI running on the listen Port anyway? I dont see the need for this. For Security: Enabling SSL and having a very strong Basic Authentification key would help a little. But this is only a workaround.

Hi there, I have tried a few things, with the problem I found. This problem could lead to loose your secret keys to everyone. Therefore an attacker could possibly get all your content, which you sync. Here is the exact setup. Server side: I1.1.48 on debian (will Update later) internal IP: 192.168.1.2 config: { "device_name": "serverT", "storage_path" : "/var/lib/btsync", "listening_port" : 4321, "check_for_updates" : false, "use_upnp" : false, "download_limit" : 0, "upload_limit" : 0, "disk_low_priority" : true, "lan_encrypt_data" : true, "lan_use_tcp" : false, "rate_limit_local_peers" : false, "folder_rescan_interval" : 600, "webui" : { "listen" : "0.0.0.0:8888", "login" : "myuser", "password" : "mysecurepassword" } } You can see that my local Port is 8888 and the listing port is 4321. In my router only 4321 is forwarded to this debian box. If you open 192.168.1.2:8888/gui and put in the basic auth everything is working as expected. You get the web GUI and see all the secrets. BUT this is insecure Open 192.168.1.2:4321/gui -->nothing will happen first time (invalid request) Open 192.168.1.2:4321/gui again--> basic authentification is requested (you put it in here) Open 192.168.1.2:4321/gui again --> nothing will happen Open 192.168.1.2:4321/gui again --> Full access This behaviour applies to the external IP too. Therefore your secret content relies only on your choosen login/password. If I can get this right, I see all the secrets and can add your share to my Box (and all your data is tranfered to me). Running basic authentification over HTTP is usually a bad idea, because it is a cleartext protocol. The login/password can be sniffed. Therefore there should be no way to get to the GUI on the listening Port. Or at least give out a advisory, which inform the users that their data might be at risk. As long as this is not fixed the listening port should not be public open to the internet.

I know that I can have multiple Web Servers on my Box. But this is not the point. All ports are disabled in my router, except 4321. It is ok to connect to port 8888 from inside my network, because this is how it should work. But it is wrong that a BT Sync Webserver is listening on the BT Sync Port (the one for tracker and so on). Try it yourself. On this specific port, which you have to forward through the firewall, should be no GUI, but there is. This one here is OK: internal Webserver: 192.168.1.2:8888 This one is not: Port for BT Sync: 4321 external Webserver: externalIP:4321/gui internal Webserver: 192.168.1.2:4321/gui

Sorry if this is already on your wishlist. But I would like to see the following feature: If I create on one device a Sync with certain properties (sync only via tracker, and my own Host) all the clients should not only get the data, but the properties too. The default behaviour is that alle options are activated (relay, tracker, ..., and not my host). Is there no possibility to include this in the QR code?

Hi there, i have running BT Sync on my Debian Box and forwarded the specific port through my router e.g. 4321. As far as I know, this port is used for connecting devices (like a own BT server). I have forwarded the port 4321, and not 8888. In my local network I can access the WebGUI through my internal IP. Lets say 192.168.1.2:8888. There I have to put in my account name/password. Thats OK so far. BUT: Why is the WebGUI listening on the external port? If you open a connection to your externalIP and the given Port (4321 in my setup) you get: invalid request If you enter the externalIP, the given Port and the directory "gui" you can reach the webfrontend. This one is only protected by the given basic authentification, which should only be reachable from the local network. Sure you dont see your shared folders, because its displays only a empty list. But this could potentialy expose your secret share codes? Furthermore running basic auth over a non SSL connection (for external use) isnt the best way, because an attacker could sniff the data. Inside my local network I am not concerned about Basic authentification, because I know every participant. In my opinion there should be no WebGui on the choosen BT Sync port.