Share your opinion about Porteus Kiosk Edition.
Forum rules
Porteus Kiosk section of the forum is unmaintained now. Its kept in a 'read only' mode for archival purposes.
Please use the kiosk contact page for directing your queries:
https://porteus-kiosk.org/contact.html
-
fanthom
- Moderator Team
- Posts: 5667
- Joined: 28 Dec 2010, 02:42
- Distribution: Porteus Kiosk
- Location: Poland
-
Contact:
Post#1
by fanthom » 07 Feb 2014, 20:06
Hi guys,
RC2 is out and we are looking for a feedback. Please do not hesitate to report bugs and suggestions so we can make Kiosk 3.0 final as much stable/feature rich as we can. Kiosk web wizard is in much better shape but i'm sure we can improve it even more
Thanks
Please add [Solved] to your thread title if the solution was found.
fanthom
-
henk717
- Ronin
- Posts: 2
- Joined: 26 Feb 2014, 17:56
- Distribution: Windows 7 ;)
- Location: forum.porteus.org
Post#2
by henk717 » 26 Feb 2014, 18:03
While testing the latest version i stumbled on a security concern with Public Fox.
I was able to disable Public Fox and install a custom extension of choice (In my test case adblock) to the kiosk.
This did get removed on kiosk restart but should be locked. It is also possible to obtain the Public Fox password.
In the customized iso i have made i replaced Public Fox with an edited version of the webconverger addon but it might be possible to patch the security concerns while keeping Public Fox.
How to crack?
1. Go to chrome://global/content/config.xul as about:config is blocked.
2. Search addons
3. Disable the addon block from Public Fox.
4. Go to about:addons and uninstall Public Fox.
I am not entirely sure if the password stored in perf.js is overwritten by pflock.cfg.
In both cases it should still be possible to upload pflock or perf.js to a website such as pastebin and view the password.
In case anyone wants my modified webconverger addon or kiosk.iso feel free to send me a PM (The ISO is non branded and uses Google as startpage).
henk717
-
fanthom
- Moderator Team
- Posts: 5667
- Joined: 28 Dec 2010, 02:42
- Distribution: Porteus Kiosk
- Location: Poland
-
Contact:
Post#3
by fanthom » 26 Feb 2014, 20:02
@henk717
this bug is fixed now - please download new ISO and try to recreate.
thanks for reporting and please share if you find something else. i always think: 'this time kiosk is fully secure' until someone proves that i'm wrong
Please add [Solved] to your thread title if the solution was found.
fanthom
-
henk717
- Ronin
- Posts: 2
- Joined: 26 Feb 2014, 17:56
- Distribution: Windows 7 ;)
- Location: forum.porteus.org
Post#4
by henk717 » 26 Feb 2014, 22:47
I always like to think "This time it is still not fully secure what else can i do?"
Turns out about:preferences was also not blocked allowing me to setup firefox sync to run a rogue extension (In my case a different kiosk protection plugin locking down all navigation). It also allows me to modify application handlers for pdf to a binary of my choice.
While testing to prevent people from uploading files in the hidden directories such as .mozilla and ofcourse .pklock.cfg i disabled C-h in the openbox config.
Lets make Porteus the most secure kiosk ever!
henk717
-
fanthom
- Moderator Team
- Posts: 5667
- Joined: 28 Dec 2010, 02:42
- Distribution: Porteus Kiosk
- Location: Poland
-
Contact:
Post#5
by fanthom » 27 Feb 2014, 12:19
disabled 'about:permissions', 'about:preferences' and 'about:support'.
disabled also ctrl-h (nice one, Public Fox blocks it normally but not for the file upload window)
thanks a lot.
Please add [Solved] to your thread title if the solution was found.
fanthom
