Bitdefender Endpoint reports error

I’m using the latest version of volumio

When I access the web interface from a windows pc with Bitdefender Endpoint Security installed I get the following bitdefender message:

Your device is being used to conduct an attack attempt of type Exploit.CommandInjection.258. Please contact your system administrator.

In the console I get:

Failed to load resource: the server responded with a status of 403 (Bitdefender Endpoint Security Tools blocked this page)

The link it’s calling is:{{’/albumart?sectionimage=%27+section.image}}

the full endpoint log is:

Detection details

Threat type:
Lateral movement
Endpoint name:
Endpoint type:

Same/similar issue has been discussed in this thread

This is caused by a bug in Volumio UI. The offending code is this:

<img ng-if="!section.icon && section.image" src="{{\'/albumart?sectionimage=\'+section.image}}" class="section-image"> 

You are likely to see the warning from Bitdefender when browsing a plugin settings page.

Reason why this happens is, even if the ng-if condition isn’t met because there is no section.image (most plugin settings show icons in the section headings instead of images), the browser will still load the image’s src, which in this case is an invalid URL that also appears to be unsafe according to Bitdefender.

I don’t know Angular JS which is what Volumio uses for its framework, but it seems the proper way to conditionally show img elements is to use ng-src instead of src:

This behaviour is actually documented right at the beginning.

1 Like

Thanks for the hint! It’s now fixed (manifest only)

Please let us know (in future versions, if that’s still an issue)

Thanks @patrickkfkan !!!