I am opening show_log endpoint, from the browser I never used before, with valid parameters. For example:
https://duplicacy.example.com/show_log?name=backup-20250606-180318.log
I expect to get unauthorized error.
But I am getting the complete log file, together with file names and storage details.
This is serious because my duplicacy is visible from the internet and people around the world are fetching the logs! I can see it in the WEB server logs.
Oh my god, it is even worse!
You can open every bloody link without authorization! The only link requesting authorization is root.
Oh my god…
BTW, version is 1.8.3, FreeBSD.
On Linux it works as expected - I have to login to be able to see anything.
On Linux I am using version 1.8.0.
On FreeBSD, version 1.8.3, shows everything without password except /.
Did you set the Administration Password on the Setting page? All pages are public if you don’t set this pasword.
The admin password was set but it looks like it is removed from both servers. If I set it again, it works properly, blocking access.
I will keep duplicacy off the Internet anyway because I did set passwords before - I have them in Bitwarden.
I don’t know what happened and I won’t risk it any more.
Thanks.
This is a prudent thing to do anyway. It’s local web app, it’s not designed to withstand probing from the internet. I’d even go as far as suggesting keeping it listening only on loopback.
If you want to access it remotely, including form other machines in the lan or the internet there are a number of tools to provide security – such as Cloudflare Zero Trust (which is a perfect fit for securing and making internal applications available externally), or ssh port tunneling (less setup in the lan)
ssh tunnel is way to go. Thanks!