It seems that although lighttpd is configured, it is not directly shipped. Accidentally exposing it to a network could have drastic impact.
The [ajax request address](https://github.com/apertus-open-source-cinema/beta-software/blob/master/software/control_daemon/ControlGUI/js/main.js#L271) is made over http - while this may be appropriate on "localhost" only environments, in case this page is called from an external device via wifi or ethernet, it won't be served in an encrypted fashion:
`url: "http://" + serverIP + "/api/settings",`
This may become an [issue in July](https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html) when chrome begins flagging HTTP resources by default - and who knows how long until http is not accepted any more at all...
More concerning, however is the fact that PHP is regularly executing bash scripts with sudo level permissions on files in /root - I would be wary of EVERY avenue of access. A trivial hack would be to:
- set up dhcp service from laptop over eth
- attach the laptop via eth
- ping sweep for clients
- visit the apertus localhost server
- use this crafted url: `http://192.168.0.2/AxiomVision/AxiomVision.php?set=gamma&value='; sudo rm -rf /*'` or something else stupid.
SUGGESTIONS:
- sanitize all userland inputs from php
- whitelist input expectations
- place system calls to shell scripts in a wrapping script
- remove web/lighttpd from sudoers
- revise http to https in [lighttpd.conf](https://github.com/apertus-open-source-cinema/beta-software/blob/master/software/configs/lighttpd.conf)
- consider a device SSL cert pathway with ipv6 / let's encrypt
- see [this gist](https://gist.github.com/BlueT/ee521743fa0da703af68f37ac0f63a90) for lighttpd ideas