Persistent Security Warning

I have a persistent security warning on the Syncthing GUI interface for my Synology NAS. It reads as follows:

The Syncthing admin interface is configured to allow remote access without a password. This can easily give hackers access to read and change any files on your computer. Please set a GUI Authentication User and Password in the Settings dialog.

But my Syncthing listening IP address is set to 127.0.0.1 under both the settings GUI tab and in the config.xml file. I thought that I didn’t need a password with this address since this setting restricts access to the local computer only?

Have I missed something?

Sure, but things like XSS exists, where a malicious webpage might serve javascript that makes requests to 127.0.0.1. Because javascript is executed in your browser, the javascript would be able to reach the web ui of syncthing running on localhost.

Thank you.

When this warning appears, the GUI listen address is not set to localhost, but something different.

The in-use adress is printed on startup in the logs, like this:

GUI and API listening on 127.0.0.1:8384
1 Like

We don’t show that warning unless the UI is actually exposed on something else than localhost. From earlier discussions on this issue, I believe that we take the “usual measures” against XSS and those are deemed safe, as in there’s no known attack vectors - the attack surface remains obviously. Is my understanding wrong? Because if it is, a password shouldn’t be optional.

Actually @imsodin makes a good point. The warning comes up when it’s listening on non-localhost, so the fact that the UI shows 127.0.0.1, doesn’t mean much, as it can be overriden on the command line

As for XSS, sure, we implement good meansures and what not, but safety doesn’t do any harm.

1 Like

This is from my log file:

[JXSZU] 2020/10/21 11:52:28 INFO: GUI and API listening on [::]:8384 [JXSZU] 2020/10/21 11:52:28 INFO: Access the GUI via the following URL: http://127.0.0.1:8384/

The listening address appears to be blank [::], but the next line implies otherwise. Is this the way it should read for local machine access only?

No, that just says that you should access using 127.0.0.1, but it’s listening on 0.0.0.0, this is becauss you can’t browse to 0.0.0.0 hence syncthing gives the address you should use.

So yes, the ui is available on all interfaces, and accessible from other machines.

1 Like

how do I fix that? I’ve tried changing the listeningaddress in the config file from default to 127.0.0.1 but after restarting, the log file still shows [::]

using 127.0.0.1:8384 resulted in [::] in the log file

using tcp://127.0.0.1:8384 resulted in syncthing failing to start.

It’s most likely overriden on the command line somewhere.

The GUI always listens on all interfaces in my Synology packaging. It would be difficult for most users to access it otherwise.