This new media manager + iPad thing is awesome! Really like it; with the iPad's HDMI out capability it's a nice alternative to a traditional Boxee box.

Is there any way to disable the Remote Admin HTTP server running on port 8088? I enabled it once, then clicked the big red "Disable" button. The UI shows a faded green button marked "Enable", implying it's disabled. But the server is still active and I can connect to it from various computers on my home network.

Remote Admin is a potential security problem: it allows browsing of the whole hard drive, not just shared video. If there's any bugs in Remote Admin the consequences could be pretty awkward. I'd like to turn it off please.

I'm running Boxee Media manager 1.0.66 on MacOS Lion.

This bug is still present in 1.0.71. I'm disappointed there's been no reply; this is a significant security problem. As it stands now, Boxee Media Manager is exposing my local hard drive to everyone with network access to my Mac and I can't turn that feature off.

Hi Nelson,

The webserver is always running. It has to run so that your ipad can connect.

A user who visits the server from a remote machine in hopes of performing admin functions should be greeted with a password prompt. This should happen regardless of whether remote admin is enabled or disabled.

If remote admin has been turned off, anyone who enters a boxee username and password will be greeted with a simple screen that tells them they do not have privileges to be an admin.

I am hoping that you are assuming that admin functionality is accessible when it is not. Can you check again and let me know if you see behavior that is different than what I've described? If there is indeed a security issue here I will make sure it is addressed, but I think this is just a misunderstanding.

Thanks!

Ray

Thanks for the reply. You're right, remote visitors are required to enter a password when accessing the web browser. My apologies for crying wolf on the security issue; as long as the authentication code works right it should be OK.

Two things confused me. One, the admin interface works without login when accessing via the IP address (on the same machine), not just http://localhost:8088/. And two, I didn't understand the same web server served the iPad browser, I see now why it's not turned off.

Thanks again for the response.