Hi,
First of all, I love this server tool but I have found some serious security issues that I want to point out.
Here are some suggestions for some better security options for the Server web console:
I am using ACSM v2.3.12 on a Ubuntu 22.04.3 server.
- 2FA security login for example with Auth app for way better security then just a password what can be easily hacked on the login page for a user login.
- Every user needs to set his 2FA Auth on there first login. In this way only that user can login on that account and no others can use it to login on that username.
- If you can assign what user can see or moderate what server(s) if your running multiple servers. For example user1 can only moderate server1 but not server2. and user2 can moderate only server2 and not server1. Also they cant see the other servers, only the ones the assigned for.
- Auto log out after 5-10 min of not using the web page? After 9 min or so you get an popup to extend your login if you want to continue what your doing. If no response you get auto logged out. The interval could be set by the root admin but should never be set to null or disabled.
- If you want live timings for public, don’t use it with a user login but make a separate webpage with no Login and just on port 443 (https with an auto Let’s Encrypt certificate) so there can’t be hacked(DB table injection) into the DB tables. DB table injection is a serious Hacking method that is used by hackers.
This is what I have noticed in my first days of using this tool. If I find more I will update this topic.
I hope to see these security issues fixed soon in a next update.