Comments (6)
Christoph Lechleitner - 2013-12-15
A recently pubishled (generally positive) review in the German IT magazine iX (issue 12/2013, page 144), also mentioned poor authentication system as most important weakness of phpvirtualbox.
I think a lot of people would like to see a major enhancement here.
Actually, I'd expect Oracle to put some efforts (say, money for 1-2 full time developers) in this. They don't offer any Web UI on their own but point to phpvirtualbox, too. Unfortunately they are well known for really poor handling of security problems.
from phpvirtualbox.
Audun Larsen - 2014-02-01
Hi,
This could be to some help: http://xqus.com/blog/phpvirtbox-vboxauthsimple
from phpvirtualbox.
Christoph Lechleitner - 2014-02-01
Thanks for that proposal and link.
That approach sounds even better - if we trust VirtualBox not to drop VBoxAuthSimple.
Anyway it'd be great to see that integrated into the phpvirtualbox upstream.
from phpvirtualbox.
Tim K - 2015-11-19
The http://xqus.com/blog/phpvirtbox-vboxauthsimple link is no longer available and phpvirtualbox is now at version 5.0-X. Still appears to require the password to be hardcoded into the config.php. Anyone have a way to NOT include the password in clear text of the config.php?
from phpvirtualbox.
Ian Moore - 2015-12-07
Here's the thing - if phpvirtualbox required a password encrypted with some key, it would still have to decrypt it before it sends it to vboxwebsrv which requires a plain text password. If it needs to decrypt it, it would need to store the key and any attacker with access to your system could easily decrypt it. It would be so easy to decrypt that there would just be no point. And many PHP applications do this for passwords. It is a false sense of security. Though I guess I could move in that route to make people feel better (falsly).
The way I run all my servers is I dIsable authentication in vboxwebsrv and remove the password from config.php.
I'll look again into if vboxauthsimple could be used. It does sound promising.
from phpvirtualbox.
Marcin Kucharczyk - 2016-04-24
I solved the problem protecting the phpvirtualbox folder with .htaccess/.htpasswd and making a small modification of config.php:
% diff config.php.sample config.php
8a9
>
12,13c13,20
< var $username = 'vbox';
< var $password = 'pass';
---
> var $username = '';
> var $password = '';
>
> public function __construct()
> {
> $this->username = $_SERVER["PHP_AUTH_USER"];
> $this->password = $_SERVER["PHP_AUTH_PW"];
> }
Now before login to phpVirtualBox I must login to apache, and next my login data are used for authentication to VBoxManage. The password in .htpasswd is encrypted.
BTW: Why the login data of phpVirtualBox are not used to login to virtual machines? In multiuser system, when users have own virtual machines it will enable control only of their machines after login.
Last edit: Marcin Kucharczyk 2016-04-24
from phpvirtualbox.
Related Issues (20)
- Filesystem browsing not working HOT 1
- Request: Manual modified 7.0x version .zip HOT 2
- Add support for additional motherboard firmware modes
- An unknown PHP error occurred HOT 1
- Error create virtual machine - Too few arguments to function IVirtualBox HOT 9
- Virtualbox 7 + PHP 8.2 = Remote Acess Tab not working HOT 5
- Error clone VM - Too few arguments to function IVirtualBox::createMachine() HOT 2
- Phpvirtualbox
- Inquire about the technology used on this site HOT 2
- Supporting Virtualbox 7.0? HOT 2
- Choose a Virtual optical Disk File Not Load files... HOT 4
- phpVB has bag with jqueryFileTree.php and file list HOT 1
- CTRL + ALT + SUPPR on Windows Server not work (critical problem)
- SOLVED_This XML file does not appear to have any style information associated with it. The document tree is shown below. HOT 1
- Could not connect to host (http://localhost:18083/) HOT 1
- Cannot create snapshots
- Refresh the VM list when vboxwebservice is running
- Undefined array key prevents login HOT 2
- .
- 那个大神能不能抽空把这个程序升级下
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from phpvirtualbox.