This is a migrated thread and some comments may be shown as answers.

FiddlerCoreStartupFlags.Default enables AllowRemoteClients

3 Answers 500 Views
FiddlerCore
This is a migrated thread and some comments may be shown as answers.
Masaki
Top achievements
Rank 1
Masaki asked on 02 Jun 2015, 02:39 PM

 Hello,

 I couldn't find a security contact at telerik so opening a new threat here. Sorry if it's already discussed or resolved.

As I bloged at http://blog.jpcert.or.jp/2015/05/fiddler-cores-insecure-default-flag-may-lead-to-open-proxy-issue.html

The the expected behaviour of FiddlerCoreStartupFlags.Default seems to be different from what it should be because AllowRemoteClients is false under the default configuration of the stand alone Fiddler application. Because setting the flag to 'Default' is recommended in the developer manual, many developer could use the flag without understanding the possibility of 'Open Proxy' issue.

It would be nice if FiddlerCoreStartupFlags.Default is changed so that AllowRemoteClients is toggled off by default.

Thanks,

Masaki

3 Answers, 1 is accepted

Sort by
0
Eric Lawrence
Telerik team
answered on 02 Jun 2015, 03:44 PM
Hi, Masaki--

Thanks for the note. The documentation for StartupFlags.Default shows that remote clients are allowed, as are other "security sensitive" options like "DecryptSSL". FiddlerCore hosts absolutely do need to consider their security posture when deciding how to utilize the code.

We appreciate you pointing out that the product in question is making use of our intellectual property in violation of its license. We will have our legal department outreach to the developers of that project.

Regards,
Eric Lawrence
Telerik
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
0
Masaki
Top achievements
Rank 1
answered on 03 Jun 2015, 12:26 AM

Hi Erick,

 Thanks for a prompt response.

>The documentation for StartupFlags.Default shows that remote clients are allowed, as are other "security sensitive" options like "DecryptSSL".

That is a new information I couldn't find in the manual I was looking at. The I should probably rewrite my blog post. In the developer manual I'm looking at, the description of 'Default' says "Start FiddlerCore with the default set of options" but never defines what "the default set" is. I appreciate if you could point me the manual where it says AllowRemoteClients is toggled by 'Default'.

 

Thanks,

Masaki

0
Eric Lawrence
Telerik team
answered on 04 Jun 2015, 03:21 PM
Hi, Masaki--

The values of the flag are documented in the XML documentation, and that is surfaced within features like Visual Studio's Intellisense feature.

Having said that, out of an abundance of caution we will be making a breaking change to the next build of FiddlerCore to require developers explicitly opt-in to Allowing Remote clients. Since the Windows Firewall will, by default, block inbound connections to FiddlerCore anyway, a developer already needs to be aware of the AllowRemoteClients feature in order to use it successfully.

Regards,
Eric Lawrence
Telerik
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
Tags
FiddlerCore
Asked by
Masaki
Top achievements
Rank 1
Answers by
Eric Lawrence
Telerik team
Masaki
Top achievements
Rank 1
Share this question
or