This is a hobby project by an independent developer, not a professional security-audited product.
- π€ Solo Developer - Built by one person for fun and learning
- π Best Effort - Security measures implemented based on available knowledge
- π§ Community Driven - If you find issues, please report them!
- β Not Enterprise Grade - No professional security audit has been performed
- π‘ Educational Purpose - Use at your own risk, especially in critical scenarios
I'm doing my best to make this secure, but I'm not a security expert or professional organization. Contributions and security reviews from the community are very welcome!
EmergencyBox is designed for offline, isolated, trusted networks in emergency scenarios.
This project intentionally prioritizes accessibility over security to ensure anyone can connect and communicate during disasters when authentication barriers could prevent life-saving coordination.
| Missing Security Feature | Rationale |
|---|---|
| β User Authentication | Emergency scenarios require instant access - no time for account creation |
| β Encryption (HTTPS) | Self-signed certificates cause browser warnings, confusing for non-technical users |
| β Access Control Lists | All users must be trusted in disaster relief contexts |
| β File Malware Scanning | No antivirus available for ARM routers, manual review required |
| β Rate Limiting (strict) | Basic flood protection only - emergency traffic can spike |
| β Audit Logging | Minimal logs - focus on reliability over forensics |
If you need these features, EmergencyBox may not be suitable for your use case.
| Protection | Status | Implementation |
|---|---|---|
| SQL Injection Prevention | β Implemented | Parameterized SQLite queries |
| Path Traversal Protection | β Implemented | File upload directory restrictions |
| XSS Prevention | β Implemented | Output escaping in JavaScript |
| File Type Validation | β Implemented | MIME type checking |
| Input Length Limits | β Implemented | Message (1000 chars), Username (50 chars) |
| File Size Limits | β Implemented | Configurable (default 5GB) |
| Filename Sanitization | β Implemented | Regex filtering, path normalization |
// β
GOOD - Parameterized query
$stmt = $db->prepare('INSERT INTO messages (message) VALUES (:message)');
$stmt->bindValue(':message', $message, SQLITE3_TEXT);
$stmt->execute();
// β BAD - Never used in codebase
// $db->exec("INSERT INTO messages (message) VALUES ('$message')");Minimal security - maximum accessibility:
- β WiFi with simple password (shared verbally)
- β Disable WAN access (LAN only)
- β Physical router security (locked box)
- β Change default router admin password
- β Manual file review (check uploads periodically)
If deploying in non-emergency or semi-public scenarios:
-
Enable WPA2/WPA3 WiFi Encryption
# Set strong WiFi password via DD-WRT web interface # Wireless > Basic Settings > Security Mode: WPA2 Personal
-
Disable WAN Access
# Security > Firewall > Block WAN Requests: Enable -
Change Router Admin Password
# Administration > Management > Router Password -
Add Basic Authentication (Custom Modification)
- Not included by default
- See
docs/DEVELOPMENT.mdfor implementation guide - Adds HTTP Basic Auth to lighttpd
-
Enable HTTPS (Advanced)
- Generate self-signed certificate
- Configure lighttpd SSL
- Note: Causes browser warnings
-
Implement Upload Restrictions
- Whitelist allowed file extensions
- Reduce max file size
- Add user quotas
Risk Level: π΄ HIGH
Description: Users can upload any file type, including executables, scripts, or malware.
Attack Scenario:
- Attacker uploads
malware.exedisguised asdocument.pdf - Other users download and execute on their devices
- Network compromise, data theft, ransomware
Mitigations:
- β Basic MIME type validation (easily bypassed)
β οΈ Manual file review by adminβ οΈ Trust-based network assumption- β No malware scanning (not available on router)
Recommended Actions:
- Deploy only in trusted networks (team members, vetted volunteers)
- Periodically review uploaded files via admin panel
- Educate users not to execute unknown files
- Consider whitelisting file extensions (config modification)
Code Location: www/api/upload.php:14-84
Risk Level: π΄ HIGH
Description: Malicious user can fill USB storage with large files, causing system failure.
Attack Scenario:
- Attacker uploads multiple 5GB files
- USB drive fills completely
- Database writes fail, system becomes unusable
Mitigations:
- β File size limit (5GB configurable)
β οΈ Admin can delete files- β No per-user quotas
- β No automatic cleanup
Recommended Actions:
- Monitor disk space via admin panel
- Set lower file size limits for public deployments
- Implement user quotas (custom modification)
- Regular cleanup of old files
Code Location: www/api/upload.php:40-42, config/php.ini:upload_max_filesize
Risk Level: π‘ MEDIUM
Description: User can spam chat with thousands of messages.
Attack Scenario:
- Attacker sends 1000+ messages rapidly
- Chat becomes unusable
- Database bloats
- Legitimate messages buried
Mitigations:
β οΈ Basic flood protection (client-side only)- β Admin can clear chat
- β No server-side rate limiting
Recommended Actions:
- Monitor chat activity
- Use admin clear function if needed
- Add server-side rate limiting (custom modification)
Code Location: www/api/send_message.php:10-61
Risk Level: π‘ MEDIUM
Description: Default DD-WRT credentials allow router takeover.
Attack Scenario:
- Attacker connects to WiFi
- Access
http://192.168.1.1(DD-WRT admin) - Login with default
root/admin - Take control of router, modify EmergencyBox
Mitigations:
β οΈ Deployment guide recommends password change- β Not enforced by EmergencyBox
Recommended Actions:
- ALWAYS change default router password
- Disable router admin access from WiFi (wired only)
- Use strong password for router admin
Documentation: docs/INSTALLATION.md, DEPLOYMENT.md
Risk Level: π‘ MEDIUM
Description: Malicious filenames could potentially exploit database.
Attack Scenario:
- Attacker uploads file named
'; DROP TABLE messages;--.jpg - If not properly sanitized, could execute SQL
Mitigations:
- β Parameterized queries (prevents SQL injection)
- β Filename sanitization (regex filter)
- β Path normalization
Status: Protected, but defense-in-depth is important
Code Location: www/api/upload.php:58-60
Risk Level: π’ LOW
Description: JavaScript in chat messages could execute in other users' browsers.
Attack Scenario:
- Attacker sends message:
<script>alert('XSS')</script> - Other users' browsers execute the script
- Could steal session data, modify page
Mitigations:
- β Output escaping in JavaScript
- β Text content rendering (not innerHTML)
β οΈ Markdown/HTML not supported (reduces attack surface)
Status: Protected by output escaping
Code Location: www/js/app.js (message rendering)
Risk Level: π’ LOW
Description: Detailed error messages expose system information.
Attack Scenario:
- Attacker triggers errors
- Error messages reveal PHP version, file paths, database structure
- Uses info for targeted attacks
Mitigations:
β οΈ Generic errors shown to usersβ οΈ Detailed errors in server logs only- β PHP display_errors not always disabled
Recommended Actions:
- Ensure
display_errors = Offin production - Review error handling in all API endpoints
Code Location: www/api/config.php, all API files
Risk Level: π’ LOW
Description: Malicious folder names could access restricted paths.
Attack Scenario:
- Attacker creates custom folder:
../../etc/passwd - Could potentially write files outside upload directory
Mitigations:
- β Strict regex filtering of folder names
- β Path sanitization
- β Only alphanumeric, dash, underscore allowed
Status: Protected by input validation
Code Location: www/api/upload.php:52-56
// Sanitization example
$category = preg_replace('/[^a-zA-Z0-9_-]/', '', trim($_POST['custom_folder']));- Change default router admin password
- Set WiFi password (share securely with team)
- Disable WAN access on router
- Verify
/opt/share/www/uploads/permissions (755) - Test file upload limits
- Review uploaded files directory structure
- Document WiFi credentials securely
- Physically secure router (locked box/room)
- Monitor disk space regularly
- Review uploaded files periodically
- Clear chat if spam occurs
- Backup database daily (
emergencybox.db) - Keep router in secure location
- Limit physical access to router
- Securely wipe uploaded files (if sensitive)
- Backup critical data
- Factory reset router (if redeploying elsewhere)
- Document lessons learned
- Report security incidents to community
For security vulnerabilities, please open public GitHub issues.
Please provide:
- Description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Suggested fix (if any)
- Your contact information (optional, for follow-up)
- Acknowledgment: Unknow
- Initial Assessment: Unknow
- Fix Timeline: If i can fix it
- We follow responsible disclosure
- Vulnerabilities will be patched before public disclosure
- Reporter will be credited (unless anonymous)
File: www/api/upload.php
// Add after line 60
$allowed_extensions = ['jpg', 'jpeg', 'png', 'pdf', 'txt', 'doc', 'docx'];
$extension = strtolower(pathinfo($safeName, PATHINFO_EXTENSION));
if (!in_array($extension, $allowed_extensions)) {
handleError('File type not allowed');
}File: www/api/send_message.php
// Add simple rate limiting
$ip = $_SERVER['REMOTE_ADDR'];
$rate_limit_file = '/tmp/rate_limit_' . md5($ip);
if (file_exists($rate_limit_file)) {
$last_message_time = file_get_contents($rate_limit_file);
if (time() - $last_message_time < 2) { // 2 second cooldown
handleError('Please wait before sending another message');
}
}
file_put_contents($rate_limit_file, time());File: config/lighttpd.conf
# Generate self-signed certificate first:
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
# -keyout /opt/etc/lighttpd/server.pem \
# -out /opt/etc/lighttpd/server.pem
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/opt/etc/lighttpd/server.pem"
}
File: config/lighttpd.conf
# Install lighttpd-mod-auth
# opkg install lighttpd-mod-auth
server.modules += ( "mod_auth" )
auth.backend = "htpasswd"
auth.backend.htpasswd.userfile = "/opt/etc/lighttpd.user"
auth.require = ( "/" =>
(
"method" => "basic",
"realm" => "EmergencyBox",
"require" => "valid-user"
)
)
File: config/php.ini
display_errors = Off
log_errors = On
error_log = /opt/var/log/php_errors.log| Date | Auditor | Scope | Findings | Status |
|---|---|---|---|---|
| 2026-01-11 | Internal | Initial security review | 8 vulnerabilities documented | Open |
| - | - | - | - | - |
Last Updated: 2026-01-11 Version: 0.9 (Beta)
EmergencyBox intentionally prioritizes usability over security because:
- Lives are at stake - Delays in communication can cost lives
- Non-technical users - Aid workers, volunteers, victims may not understand security prompts
- Time-critical - Must deploy in minutes, not hours
- Trusted networks - Designed for vetted teams, not public internet
- Offline context - No external attack surface when isolated
If you need enterprise-grade security, consider:
- FreeTAKServer - Full authentication, encryption
- POSM - Professional deployment with access controls
- Commercial solutions with security audits
EmergencyBox is for emergencies. Security takes a back seat to saving lives.
This project is maintained by an independent developer as a hobby project. While I've implemented security best practices to the best of my knowledge, I'm not a professional security researcher or part of a formal organization.
I appreciate:
- π Bug reports and vulnerability disclosures
- π Security reviews from experienced developers
- π¬ Constructive feedback and suggestions
- π€ Community contributions to improve security
I cannot guarantee:
- β±οΈ Specific response times (I have a day job!)
- π‘οΈ Enterprise-level security
- π 24/7 support
- π° Bounty payments
But I promise:
- β To take security reports seriously
- β To fix issues when I can
- β To be transparent about limitations
- β To credit security researchers
- β To learn and improve
Remember: The biggest security risk in a disaster is not being able to communicate at all.
Use this software at your own risk. It's provided "as-is" for educational and humanitarian purposes.