Inactivity time limit [should be fixed in v1.371]

edited January 2020 in Problems Now Fixed
Hello guys,
My friend sent to me interesting screenshot:

It's use 30 min inactive timeout on the KiwiSDR control menu, but it's look like someone hacked this limit to 8 hours. :)
Maybe you know how it's possible?


  • Probably just a software bug rather than any "hacking". The inactivity timeout is 30 min you say, but I assume there is no 24hr limit set?

    The best way to debug this would be to connect to the Kiwi server with a debugger. But that of course is difficult if the problem is not happening repeatedly (and would also require me to have out-of-band ssh access).
  • edited November 2019
    Limits for this KiwiSDR - 30 min inactivity and 8 hours per-IP for 24 hour, suspiciously, same 8 hours.
    But this user know how exploit this problem, he did it on 2 different KiwiSDR.
  • In the user list the first that will expire is shown. So in this case since the inactivity limit is less than the 24hr limit the inactivity time left should always be shown. So the problem is that for this connection it thinks there is no inactivity limit.

    Has an exemption password been set? But if they were using the exemption password both limits would be bypassed and no limitation would be shown. So that can't be it. Still seems like a bug..
  • New screenshot from my KiwiSDR with limit 60 min for connection...
    but 10 hours for one active connection, how?
  • Given that his id is "kiwi4ever" I would say hacker (lol).
    I'll take a look. Don't kick him (yet).
  • What's the URL of this Kiwi? The one I thought it was is not online (email to if you'd like).
  • sorry, I upgrade it to v 1.369 and all connection lost... of course it's look like record IQ for this frequency
  • but may be something on logs...
  • I've got lots of debug stuff in the code to help me with things like this. But I have to look at it while it's actually happening..
  • edited January 2020
    @jks I want to ask, - why the time limit does not apply to recordings? I think if we have field "Time limit exemption password" why don't add same to option if you need exemption this limit for record? Like python -s -p 8073 -pwd PaSsWoRd ....
  • jksjks
    edited January 2020
    I'd have to add a Kiwi API call for this. From the browser you can specify the exemption password in the URL. But kiwirecorder takes a hostname/port and not a full URL with query string options. Let me work on this..
  • jksjks
    edited January 2020
    Lol. I don't even remember how this stuff works anymore.

    So kiwirecorder has a new option "--tlimit-pw" ("--tlimit-password") to specify the time limit exemption password. That was easy. No server changes required (for a change).

    What was interesting was that I found an old exemption mechanism in the code that I had forgotten about. It doesn't use a password. I must have put that in there when people were complaining about their kiwirecorder sessions being disconnected (on a time-limited Kiwi) before exemption passwords were implemented. But a hacker who discovered this mechanism could use it in an injection session to get unrestricted browser access, which is exactly what you are seeing.

    So the next release will remove this old mechanism and people will have to get the actual password from the Kiwi owner for making long recordings that exceed the time limit (if configured).
  • edited January 2020
    I believe that directKiwi connects had no time limit, so 1.371 should fix that
  • edited January 2020
    @WA2ZKD Yes, on 1.371 I see limits for directKiwi external connection:
  • There's an apparent bug in the inactivity timeout. It doesn't seem to recognize local IPv6 users as local, so it still times them out.
Sign In or Register to comment.