It seems that although lighttpd is configured, it is not directly shipped. Accidentally exposing it to a network could have drastic impact.
The ajax request address is made over http - while this may be appropriate on "localhost" only environments, in case this page is called from an external device via wifi or ethernet, it won't be served in an encrypted fashion:
url: "http://" + serverIP + "/api/settings",
This may become an issue in July when chrome begins flagging HTTP resources by default - and who knows how long until http is not accepted any more at all...
More concerning, however is the fact that PHP is regularly executing bash scripts with sudo level permissions on files in /root - I would be wary of EVERY avenue of access. A trivial hack would be to:
- set up dhcp service from laptop over eth
- attach the laptop via eth
- ping sweep for clients
- visit the apertus localhost server
- use this crafted url: http://192.168.0.2/AxiomVision/AxiomVision.php?set=gamma&value='; sudo rm -rf /*' or something else stupid.