OPNsense Forum

Archive => 19.1 Legacy Series => Topic started by: Jack V on May 28, 2019, 07:34:26 pm

Title: CVE-2019-11816. Feature request again due to this
Post by: Jack V on May 28, 2019, 07:34:26 pm
A couple of years back I asked if it was possible to disable the web gui and only use ssh/console to be more secure.

The answer I got back then was: "We don't understand the user case" :o

So again, can this feature please be created ?

Just a simple switch after console login Enable/Disable web gui, that's all.
Title: Re: CVE-2019-11816. Feature request again due to this
Post by: mimugmail on May 28, 2019, 09:54:24 pm
Then you can just install HBSD, write a small pf script and let it run :)
Title: Re: CVE-2019-11816. Feature request again due to this
Post by: hbc on May 28, 2019, 10:08:55 pm
Isn't this the same as this:
https://forum.opnsense.org/index.php?topic=12861.msg59609#msg59609 (https://forum.opnsense.org/index.php?topic=12861.msg59609#msg59609)
Title: Re: CVE-2019-11816. Feature request again due to this
Post by: franco on June 03, 2019, 04:13:48 pm
You miss the point: these are privilege escalations of given limited privileges in the web GUI, not remote code execution of running exposed services. Some have existed in *sense code for the better part of a decade because nobody cared to implement a safe ACL or actually use it on a large scale giving partial admin GUI access to untrusted sources.


Cheers,
Franco