Page 1 of 1

Porteus Kiosk Edition 3.0 rc2 bugs/feedback thread

Posted: 07 Feb 2014, 20:06
by fanthom
Hi guys,

RC2 is out and we are looking for a feedback. Please do not hesitate to report bugs and suggestions so we can make Kiosk 3.0 final as much stable/feature rich as we can. Kiosk web wizard is in much better shape but i'm sure we can improve it even more :)

Thanks

Re: Porteus Kiosk Edition 3.0 rc2 bugs/feedback thread

Posted: 26 Feb 2014, 18:03
by henk717
While testing the latest version i stumbled on a security concern with Public Fox.
I was able to disable Public Fox and install a custom extension of choice (In my test case adblock) to the kiosk.
This did get removed on kiosk restart but should be locked. It is also possible to obtain the Public Fox password.
In the customized iso i have made i replaced Public Fox with an edited version of the webconverger addon but it might be possible to patch the security concerns while keeping Public Fox.

How to crack?
1. Go to chrome://global/content/config.xul as about:config is blocked.
2. Search addons
3. Disable the addon block from Public Fox.
4. Go to about:addons and uninstall Public Fox.

I am not entirely sure if the password stored in perf.js is overwritten by pflock.cfg.
In both cases it should still be possible to upload pflock or perf.js to a website such as pastebin and view the password.

In case anyone wants my modified webconverger addon or kiosk.iso feel free to send me a PM (The ISO is non branded and uses Google as startpage).

Re: Porteus Kiosk Edition 3.0 rc2 bugs/feedback thread

Posted: 26 Feb 2014, 20:02
by fanthom
@henk717
this bug is fixed now - please download new ISO and try to recreate.
thanks for reporting and please share if you find something else. i always think: 'this time kiosk is fully secure' until someone proves that i'm wrong :)

Re: Porteus Kiosk Edition 3.0 rc2 bugs/feedback thread

Posted: 26 Feb 2014, 22:47
by henk717
I always like to think "This time it is still not fully secure what else can i do?" :D

Turns out about:preferences was also not blocked allowing me to setup firefox sync to run a rogue extension (In my case a different kiosk protection plugin locking down all navigation). It also allows me to modify application handlers for pdf to a binary of my choice.

While testing to prevent people from uploading files in the hidden directories such as .mozilla and ofcourse .pklock.cfg i disabled C-h in the openbox config.

Lets make Porteus the most secure kiosk ever!

Re: Porteus Kiosk Edition 3.0 rc2 bugs/feedback thread

Posted: 27 Feb 2014, 12:19
by fanthom
disabled 'about:permissions', 'about:preferences' and 'about:support'.
disabled also ctrl-h (nice one, Public Fox blocks it normally but not for the file upload window)

thanks a lot.