What's new

[Script] Add a warning in WebUI when Remote Access is enabled

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Dabombber

Senior Member
Most people are probably like me where they don't check random settings like Remote WebUI Access ever again once they've disabled it. And given that it's possibly been enabled without them knowing (like me >.<), I figured it'd be useful to show a warning for it.

Code:
#!/bin/sh

NOTIFILE="/jffs/www/notification.js"
MAGICNUMBER=20

_quote() {
   printf "%s\n" "$1" | sed 's/[]\/$*.^&[]/\\&/g'
}

str_append() {
   PATTERN="$(_quote "$1")"
   CONTENT="$(_quote "$2")"
   sed -i "s/$PATTERN/&$CONTENT/" "$3"
}

line_append() {
   PATTERN="$(_quote "$1")"
   CONTENT="$(_quote "$2")"
   sed -i -e "/$PATTERN/a\\" -e "$CONTENT" "$3"
}

line_prepend() {
   PATTERN="$(_quote "$1")"
   CONTENT="$(_quote "$2")"
   sed -i -e "/$PATTERN/i\\" -e "$CONTENT" "$3"
}

file_append() {
   printf "%s\n" "$1" >> "$2"
}

# Remove any stale file
TIMESTAMP="$(date -r "/www/notification.css")"
if [ -e "$NOTIFILE" ]; then
   if ! grep -Fq "$TIMESTAMP" "$NOTIFILE"; then
       mount | grep -Fq "/www/notification.js" && umount "/www/notification.js"
       rm "$NOTIFILE"
   else
       # Up to date, nothing to do here
       unset TIMESTAMP
   fi
fi

# Make new file
if [ -n "$TIMESTAMP" ]; then
   mkdir -p "$(dirname "$NOTIFILE")"
   cp "/www/notification.js" "$NOTIFILE"

   # Add WebUI stuff where samba stuff is
   line_append "var enable_samba" "var misc_http_x = '<% nvram_get(\"misc_http_x\"); %>';" "$NOTIFILE"
   line_append "samba: 0," "webuiwan: 0," "$NOTIFILE"
   str_append "notification.ftp ,notification.samba" " ,notification.webuiwan" "$NOTIFILE"
   str_append "&& !notification.samba" " && !notification.webuiwan" "$NOTIFILE"
   line_prepend "st_samba_force_mode == ''" "if(misc_http_x != 0){notification.array[${MAGICNUMBER}] = 'noti_webuiwan'; notification.webuiwan = 1; notification.desc[${MAGICNUMBER}] = 'Your WebUI is currently accessable from the internet. We strongly recommend that you disable [ Enable Web Access from WAN ] to avoid security risk.'; notification.action_desc[${MAGICNUMBER}] = 'Change now'; notification.clickCallBack[${MAGICNUMBER}] = \"location.href = 'Advanced_System_Content.asp';\";}else{notification.webuiwan = 0;}" "$NOTIFILE"
   str_append "|| notification.samba" " || notification.webuiwan" "$NOTIFILE"
   line_append "this.samba = 0;" "this.webuiwan = 0;" "$NOTIFILE"
   file_append "// Source timestamp: $TIMESTAMP" "$NOTIFILE"
fi

# Mount over stock file
if ! mount | grep -Fq "/www/notification.js"; then
   mount -o bind "$NOTIFILE" "/www/notification.js"
fi

It might be necessary to run 'service restart_httpd' after running the script.
If you leave the created file in the jffs directory it should survive a reboot but the bind won't, so you can either link to, or just put the whole thing in jffs/scripts/init-start.
To undo the changes it makes, you can run the command 'umount /www/notification.js', and delete the file/directories it made (/jffs/www/notification.js).
 

Attachments

  • Untitled.png
    Untitled.png
    36 KB · Views: 462
Last edited:
Most people are probably like me where they don't check random settings like Remote WebUI Access ever again once they've disabled it. And given that it's possibly been enabled without them knowing (like me >.<), I figured it'd be useful to show a warning for it.

Code:
#!/bin/sh

NOTIFILE="/jffs/www/notification.js"
MAGICNUMBER=20

_quote() {
    printf "%s\n" "$1" | sed 's/[]\/$*.^&[]/\\&/g'
}

str_replace() {
    PATTERN="$(_quote "$1")"
    CONTENT="$(_quote "$2")"
    sed -i "s/$PATTERN/$CONTENT/" "$3"
}

line_prepend() {
    PATTERN="$(_quote "$1")"
    CONTENT="$(_quote "$2")"
    sed -i "/$PATTERN/i\\\$CONTENT" "$3"
}

line_append() {
    PATTERN="$(_quote "$1")"
    CONTENT="$(_quote "$2")"
    sed -i "/$PATTERN/a\\\$CONTENT" "$3"
}

if [ ! -e "$NOTIFILE" ]; then
    mkdir -p "$(dirname "$NOTIFILE")"
    cp "/www/notification.js" "$NOTIFILE"

    # Add WebUI stuff where samba stuff is
    line_append "var enable_samba" "var misc_http_x = '<% nvram_get(\"misc_http_x\"); %>';" "$NOTIFILE"
    line_append "samba: 0," "webuiwan: 0," "$NOTIFILE"
    str_replace "notification.ftp ,notification.samba" "notification.ftp ,notification.samba ,notification.webuiwan" "$NOTIFILE"
    str_replace "&& !notification.samba" "&& !notification.samba && !notification.webuiwan" "$NOTIFILE"
    line_prepend "st_samba_force_mode == ''" "if(misc_http_x != 0){notification.array[${MAGICNUMBER}] = 'noti_webuiwan'; notification.webuiwan = 1; notification.desc[${MAGICNUMBER}] = 'Your WebUI is currently accessable from the internet. We strongly recommend that you disable [ Enable Web Access from WAN ] to avoid security risk.'; notification.action_desc[${MAGICNUMBER}] = 'Change now'; notification.clickCallBack[${MAGICNUMBER}] = \"location.href = 'Advanced_System_Content.asp';\";}else{notification.webuiwan = 0;}" "$NOTIFILE"
    str_replace "|| notification.samba" "|| notification.samba || notification.webuiwan" "$NOTIFILE"
    line_append "this.samba = 0;" "this.webuiwan = 0;" "$NOTIFILE"
fi
if [ -z "$(mount | grep /www/notification.js)" ]; then
    mount -o bind "$NOTIFILE" "/www/notification.js"
fi

It might be necessary to run 'service restart_httpd' after running the script.
If you leave the created file in the jffs directory it should survive a reboot but the bind won't, so you can either link to, or just put the whole thing in jffs/scripts/init-start.
To undo the changes it makes, you can run the command 'umount /www/notification.js', and delete the file/directories it made.


Has this script been fully tested? Can you provide a couple of screenshots for us of what to expect?

This might be a great addition to the amtm script by thelonelycoder? :)
 
There's an attached screenshot showing the warning when access to the WebUI through WAN is enabled (and also that I need to update my firmware). As for testing that's what it's here for ;). I just followed Asus' implementation so it should be fine as long as the magic number isn't being used in some other models, and if so it can just be changed.
 
Most people are probably like me where they don't check random settings like Remote WebUI Access ever again once they've disabled it. And given that it's possibly been enabled without them knowing (like me >.<), I figured it'd be useful to show a warning for it.

Code:
#!/bin/sh

NOTIFILE="/jffs/www/notification.js"
MAGICNUMBER=20

_quote() {
    printf "%s\n" "$1" | sed 's/[]\/$*.^&[]/\\&/g'
}

str_replace() {
    PATTERN="$(_quote "$1")"
    CONTENT="$(_quote "$2")"
    sed -i "s/$PATTERN/$CONTENT/" "$3"
}

line_prepend() {
    PATTERN="$(_quote "$1")"
    CONTENT="$(_quote "$2")"
    sed -i "/$PATTERN/i\\\$CONTENT" "$3"
}

line_append() {
    PATTERN="$(_quote "$1")"
    CONTENT="$(_quote "$2")"
    sed -i "/$PATTERN/a\\\$CONTENT" "$3"
}

if [ ! -e "$NOTIFILE" ]; then
    mkdir -p "$(dirname "$NOTIFILE")"
    cp "/www/notification.js" "$NOTIFILE"

    # Add WebUI stuff where samba stuff is
    line_append "var enable_samba" "var misc_http_x = '<% nvram_get(\"misc_http_x\"); %>';" "$NOTIFILE"
    line_append "samba: 0," "webuiwan: 0," "$NOTIFILE"
    str_replace "notification.ftp ,notification.samba" "notification.ftp ,notification.samba ,notification.webuiwan" "$NOTIFILE"
    str_replace "&& !notification.samba" "&& !notification.samba && !notification.webuiwan" "$NOTIFILE"
    line_prepend "st_samba_force_mode == ''" "if(misc_http_x != 0){notification.array[${MAGICNUMBER}] = 'noti_webuiwan'; notification.webuiwan = 1; notification.desc[${MAGICNUMBER}] = 'Your WebUI is currently accessable from the internet. We strongly recommend that you disable [ Enable Web Access from WAN ] to avoid security risk.'; notification.action_desc[${MAGICNUMBER}] = 'Change now'; notification.clickCallBack[${MAGICNUMBER}] = \"location.href = 'Advanced_System_Content.asp';\";}else{notification.webuiwan = 0;}" "$NOTIFILE"
    str_replace "|| notification.samba" "|| notification.samba || notification.webuiwan" "$NOTIFILE"
    line_append "this.samba = 0;" "this.webuiwan = 0;" "$NOTIFILE"
fi
if [ -z "$(mount | grep /www/notification.js)" ]; then
    mount -o bind "$NOTIFILE" "/www/notification.js"
fi

It might be necessary to run 'service restart_httpd' after running the script.
If you leave the created file in the jffs directory it should survive a reboot but the bind won't, so you can either link to, or just put the whole thing in jffs/scripts/init-start.
To undo the changes it makes, you can run the command 'umount /www/notification.js', and delete the file/directories it made.

fwiw, Skynet includes this functionality by default disabling WAN access to the GUI/SSH. Although not as flashy with the alerts, it posts to the syslog instead.
 
fwiw, Skynet includes this functionality by default disabling WAN access to the GUI/SSH. Although not as flashy with the alerts, it posts to the syslog instead.

“..includes this functionality by default”; so this is in addition to Secure Mode and functions even if Secure Mode is off? Or perhaps it’s part of Secure Mode and that’s on by default, which would make more sense?
 
Last edited:
“..includes this functionality by default”; so this is in addition to Secure Mode and functions even if Secure Mode is off? Or perhaps it’s part of Secure Mode and that’s on by default, which would make more sense?

Yes this feature is part of secure mode which is enabled by default, which will actively prevent insecure settings from being enabled. Not to take away from the OP whose implementation looks aesthetically pleasing.
 
Yes this feature is part of secure mode which is enabled by default, which will actively prevent insecure settings from being enabled. Not to take away from the OP whose implementation looks aesthetically pleasing.

As Skynet evolves, who lnows what aesthetic pleasures await?

By the way, was secure mode always on by default, or had the user to enable it when it was first introduced? (I thought I had to enable it originally, but my memory is dodgy.)
 
Looks like a firmware update changes the dictionary references and breaks things horribly. I've updated the script to add the last modification date to the end of the js file as a comment, and replace it if it doesn't match the stock version.
 
Just realised that if the js file is already mounted then the timestamp of the modified file will be used rather than the original, resulting in the file being pointlessly recreated. Switched to using the css file timestamp instead (should be the same or ~1s off). Possibly a pointless change since it'll always be unmounted when init-start is run but a bug is a bug. If you also modify the css file for some reason you should pick another file from the www directory.

Code:
TIMESTAMP="$(date -r "/www/notification.js")"
to
Code:
TIMESTAMP="$(date -r "/www/notification.css")"
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top