Spksrc: URGENT! Transmission package somehow steals MAIN DSM USERNAME AND PASSWORD!

Created on 12 Nov 2019  路  3Comments  路  Source: SynoCommunity/spksrc

See previous post.

I installed the SynoCommunity Transmission package, and during the initial installation setup I tried three different ways of specifying passwords: leaving the suggested defaults, leaving both fields blank, and specifying my own username and password.

On running the package, at www.ddns.com:9091, none of the three username/password combinations were accepted.

What WAS accepted, however, was the MAIN DSM USERNAME AND PASSWORD. This let me into the Transmission web gui at www.ddns.com:9091.

This means the Transmission package is somehow able to find this info and uses it. How ? This needs to be fixed urgently! I have advised Synology.

picture echable9999

Most helpful comment

This just means that you doing a DSM login that way.
Transmission does not use any form of login once it is running.

If you don't believe me, just login directly into your Nas desktop (so not via www.ddns.com) and open transmission from the desktop menu.
You will experience that the transmission gui is opened without asking any login.

Please don't create panic if you do not know what you are really experiencing.

picture BenjV on 12 Nov 2019
👍2

All 3 comments

This just means that you doing a DSM login that way.
Transmission does not use any form of login once it is running.

If you don't believe me, just login directly into your Nas desktop (so not via www.ddns.com) and open transmission from the desktop menu.
You will experience that the transmission gui is opened without asking any login.

Please don't create panic if you do not know what you are really experiencing.

BenjV picture BenjV on 12 Nov 2019
👍2

Does transmission run its own web server? It probably uses the system wide Apache server that also serves the DSM user interface.

Maybe there is a global setting protecting access to all served resources by default? Or some higher level .htaccess file triggering the authentication? In any case it would be perfectly fine for Apache to authenticate against the DSM user credentials database just like its own web GUI does. No leak there, just a centralized authentication scheme like PAM for example.

You have not described what the login form looks like, a screenshot might help to clarify.

Don't Panic.

acolomb picture acolomb on 12 Nov 2019
👍1

Please use #3800 for futher discussion.

hgy59 picture hgy59 on 26 Nov 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

kraades picture kraades  路  6Comments
Mickroz picture Mickroz  路  3Comments
alx picture alx  路  9Comments
charmisuk picture charmisuk  路  5Comments
SeppPenner picture SeppPenner  路  7Comments