Package: qbittorrent-nox
Version: 4.5.2-3
Severity: normal
X-Debbugs-Cc: thatguych...@gmail.com
Dear Maintainer,
* What led up to the situation?
Tinkering off and on with a testing server, qbittorrent-nox installed, webUI
open to lan, default login credentials were not changed. Outside parties gained
access to webUI through the UPnP, downloaded a dummy torrent, and ran a script
via the "run command on torrent completion."
* What exactly did you do (or not do) that was effective (or
ineffective)?
Shutdown the machine.
* What was the outcome of this action?
Wipe and re install.
* What outcome did you expect instead?
I take responsibility here, as I did not change the default login credentials
for the webUI, thinking it was only accessible from my LAN. However after some
searches I find I'm not the only one got caught by this, which is probably why
the bots are scanning for it. Upstream has since changed the default for the
WebUI UPnP to "OFF". See here:
https://github.com/qbittorrent/qBittorrent/pull/18832
Is it possible to backport this setting? Thanks for all that you do!
-- System Information:
Debian Release: 12.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-13-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages qbittorrent-nox depends on:
ii libc6 2.36-9+deb12u3
ii libgcc-s1 12.2.0-14
ii libqt5core5a 5.15.8+dfsg-11
ii libqt5network5 5.15.8+dfsg-11
ii libqt5sql5 5.15.8+dfsg-11
ii libqt5sql5-sqlite 5.15.8+dfsg-11
ii libqt5xml5 5.15.8+dfsg-11
ii libssl3 3.0.11-1~deb12u2
ii libstdc++6 12.2.0-14
ii libtorrent-rasterbar2.0 2.0.8-1+b1
ii zlib1g 1:1.2.13.dfsg-1
qbittorrent-nox recommends no packages.
qbittorrent-nox suggests no packages.
