Like may other "localhost" web-servers, SABnzbd suffers from a cross-site request vulnerability.
This problem was our attention by the firm Secunia.
They informed us of a vulnerability caused by the lack of authentication in the API and other parts of the web interface that could lead to a "Cross-Site Request Forgery" attack.
The vulnerability makes it possible for an external website to issue commands to parts of the Web-interface of your local SABnzbd installation. We have had no reports of any sites abusing this issue, and none of the data in the web interface is at risk; however we are acting quickly to be on the safe side.
The first time SABnzbd-0.4.9 is started it will generate a random key. This new unique API key will be used for controlling any "actions" you can have SABnzbd perform. For basic usage you shouldn't notice any changes. All links in SABnzbd's web interface will automatically have the key if they need it.
The unpleasant bit is the interface to third-party utilities (e.g. the Firefox add-on nzbStatus or init.d scripts). These will need to be modified as they need to pass the parameter "apikey" to SABnzbd. The value of your unique "apikey" is listed on the users Config->General page.
We have notified authors of many third-party tools known to use the api, and they have all been informed of what this change will mean, so they can promptly release updated versions of their tools.
You can disable this security featute to avoid compatibility problems, but we strongly advise against this. Even if you use a username/password for SABnzbd's web-interface you will not be fully protected against the vulnerability as it can re-use your authentication if you have recently logged in.
In our opinion, it's actually quite difficult create a useful exploit of the vulnerability. Nevertheless, we feel obligated to close whatever security holes people bring to our attention, regardless of how remote the possibility is of an actual exploitation.
