Inactivity time limit [should be fixed in v1.371]
Hello guys,
My friend sent to me interesting screenshot:
It's use 30 min inactive timeout on the KiwiSDR control menu, but it's look like someone hacked this limit to 8 hours.
Maybe you know how it's possible?
My friend sent to me interesting screenshot:
It's use 30 min inactive timeout on the KiwiSDR control menu, but it's look like someone hacked this limit to 8 hours.
Maybe you know how it's possible?
Comments
The best way to debug this would be to connect to the Kiwi server with a debugger. But that of course is difficult if the problem is not happening repeatedly (and would also require me to have out-of-band ssh access).
But this user know how exploit this problem, he did it on 2 different KiwiSDR.
Has an exemption password been set? But if they were using the exemption password both limits would be bypassed and no limitation would be shown. So that can't be it. Still seems like a bug..
but 10 hours for one active connection, how?
I'll take a look. Don't kick him (yet).
So kiwirecorder has a new option "--tlimit-pw" ("--tlimit-password") to specify the time limit exemption password. That was easy. No server changes required (for a change).
What was interesting was that I found an old exemption mechanism in the code that I had forgotten about. It doesn't use a password. I must have put that in there when people were complaining about their kiwirecorder sessions being disconnected (on a time-limited Kiwi) before exemption passwords were implemented. But a hacker who discovered this mechanism could use it in an injection session to get unrestricted browser access, which is exactly what you are seeing.
So the next release will remove this old mechanism and people will have to get the actual password from the Kiwi owner for making long recordings that exceed the time limit (if configured).