Security advisory: Stashapp

VladTheImplier · June 28, 2024, 5:40pm

Hi all,

its come to my attention by a friendly user of our forum who did some of their own security research and found a large number of public facing insecure stash environments. if you havent already you should secure them. If you think they’re secure, check to make sure.

The user in question didnt want any credit so they asked me to send along the info. they wrote this for you.

It has been found that some users have public-facing StashApp instances without any type of authentication. This not only puts your data at risk—allowing anyone to change and delete data—but it also opens the door for bad actors to do potentially harmful activities.

How to Check if You Are Affected

Find Your Public IP Address and Try to Access Your StashApp/XBVR URL

Visit WhatIsMyIP.com or a similar website to find out your public IP address.
Using your mobile device (with mobile data) or another Wi-Fi, open a web browser and enter your public IP address followed by your port, the default being :9999 (e.g., http://your-public-ip-address:9999).
If you can access your StashApp/XBVR instance without any login prompt, your instance is exposed.

Check Your Router’s Port Forwarding Rules:

Log into your router’s administration page and check if you have any port forwarding rules that expose your StashApp/XBVR instance to the internet.

If You Are Affected:

Do Not Just Port Forward Anything into Your Home Network!

Directly exposing services like StashApp/XBVR to the internet is dangerous without proper security measures. Its best to avoid forwarding ports all together.

Use Authentication

In your stash instance navigate to Settings → Security and add credentials.

Use a VPN to Connect Back Home When On the Go:

A secure way to access your home network services while away from home is to use a VPN. One of the easiest to set up and use is Tailscale.

Tailscale Basic Usage

Sign in to Tailscale

Tailscale is free for up to three users and 100 devices. That should be sufficient for most. Use an identity provider of your choice.

Install Tailscale on your desired devices

Follow the instrucitons to install Tailscale on your StashApp/XBVR server / VM / LXC and your desired devices like your phone or laptop.

Access your instance

When connected to you Tailscale VPN use the provided MagicDNS address with the correct port or Tailscale IP Adress to connect to your instance (e.g., ‘stashapp.tail5fjc36.ts.net:9999’)

Note that this is just the quickest installation option. For more convience further configuration is recommended.

Stay safe out there fellow self-hosters!

roa · June 28, 2024, 6:48pm

Totalcommander → Stashdir ->F8
Thanks

nudem · June 28, 2024, 9:09pm

Great advice!
On that topic, I would like to add:
Also check if your router has UPnP or another setting that automatically sets up port forwarding.
Too many consumer routings have that enabled by default and it can lead to major security issues if you are hosting services that shouldn’t be public!

VladTheImplier · June 28, 2024, 10:33pm

Ive had a firewall for so long I forgot uPnP was a thing.

nudem · June 29, 2024, 12:22pm

UPnP shouldn’t be a thing anymore… If I wouldn’t have a training for a network vendor recently I would have also completely forgotten about it.