FiddlerCoreStartupFlags.Default enables AllowRemoteClients

4 posts, 0 answers
  1. Masaki
    Masaki avatar
    2 posts
    Member since:
    Jun 2015

    Posted 02 Jun 2015 Link to this post

     Hello,

     I couldn't find a security contact at telerik so opening a new threat here. Sorry if it's already discussed or resolved.

    As I bloged at http://blog.jpcert.or.jp/2015/05/fiddler-cores-insecure-default-flag-may-lead-to-open-proxy-issue.html

    The the expected behaviour of FiddlerCoreStartupFlags.Default seems to be different from what it should be because AllowRemoteClients is false under the default configuration of the stand alone Fiddler application. Because setting the flag to 'Default' is recommended in the developer manual, many developer could use the flag without understanding the possibility of 'Open Proxy' issue.

    It would be nice if FiddlerCoreStartupFlags.Default is changed so that AllowRemoteClients is toggled off by default.

    Thanks,

    Masaki

  2. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 02 Jun 2015 Link to this post

    Hi, Masaki--

    Thanks for the note. The documentation for StartupFlags.Default shows that remote clients are allowed, as are other "security sensitive" options like "DecryptSSL". FiddlerCore hosts absolutely do need to consider their security posture when deciding how to utilize the code.

    We appreciate you pointing out that the product in question is making use of our intellectual property in violation of its license. We will have our legal department outreach to the developers of that project.

    Regards,
    Eric Lawrence
    Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  3. Masaki
    Masaki avatar
    2 posts
    Member since:
    Jun 2015

    Posted 02 Jun 2015 in reply to Eric Lawrence Link to this post

    Hi Erick,

     Thanks for a prompt response.

    >The documentation for StartupFlags.Default shows that remote clients are allowed, as are other "security sensitive" options like "DecryptSSL".

    That is a new information I couldn't find in the manual I was looking at. The I should probably rewrite my blog post. In the developer manual I'm looking at, the description of 'Default' says "Start FiddlerCore with the default set of options" but never defines what "the default set" is. I appreciate if you could point me the manual where it says AllowRemoteClients is toggled by 'Default'.

     

    Thanks,

    Masaki

  4. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 04 Jun 2015 Link to this post

    Hi, Masaki--

    The values of the flag are documented in the XML documentation, and that is surfaced within features like Visual Studio's Intellisense feature.

    Having said that, out of an abundance of caution we will be making a breaking change to the next build of FiddlerCore to require developers explicitly opt-in to Allowing Remote clients. Since the Windows Firewall will, by default, block inbound connections to FiddlerCore anyway, a developer already needs to be aware of the AllowRemoteClients feature in order to use it successfully.

    Regards,
    Eric Lawrence
    Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
Back to Top