From 7ae9491febd82edd4851cd63d9413aa5ef2cfa2b Mon Sep 17 00:00:00 2001
From: DeNNiiInc <dennii.inc@gmail.com>
Date: Thu, 1 Jan 2026 22:28:32 +1100
Subject: [PATCH] Add security warnings

---
 README.md       |  12 +++++-
 install.sh      |   4 ++
 webui/index.php | 105 +++++++++++++++++++++++++-----------------------
 3 files changed, 69 insertions(+), 52 deletions(-)

diff --git a/README.md b/README.md
index 130f280..f266d1b 100644
--- a/README.md
+++ b/README.md
@@ -55,7 +55,17 @@ Open your browser and navigate to:
 http://<SERVER_IP>/ultyscan/
 ```
 
-### Features
+### Security Warning ⚠️
+
+> [!CAUTION]
+> **THIS UTILITY RUNS WITH ROOT PRIVILEGES.**
+>
+> 1.  **DO NOT** expose the Web Interface directly to the public internet.
+> 2.  **DO NOT** run this on a server running other critical services.
+> 3.  **ALWAYS** use a VPN or SSH Tunnel (e.g. `ssh -L 8888:localhost:8888 user@server`) to access the interface.
+> 4.  The default install creates a `www-data` sudoer entry allowing execution of critical commands.
+
+## Features
 
 | Tab | Description |
 |-----|-------------|
diff --git a/install.sh b/install.sh
index 17a291c..114e433 100644
--- a/install.sh
+++ b/install.sh
@@ -548,6 +548,10 @@ echo ""
 echo -e "$OKRED[>]$RESET Done! $RESET"
 echo -e "$OKRED[>]$RESET To run from command line, type 'sniper'! $RESET"
 echo ""
+echo -e "$OKRED[!] SECURITY WARNING: THIS UTILITY RUNS WITH ROOT PRIVILEGES$RESET"
+echo -e "$OKRED[!] DO NOT EXPOSE THIS WEB INTERFACE DIRECTLY TO THE INTERNET$RESET"
+echo -e "$OKRED[!] USE A VPN OR SSH TUNNEL FOR ACCESS$RESET"
+echo ""
 echo -e "$OKBLUE============================================$RESET"
 echo -e "$OKGREEN  ULTYSCAN WEB INTERFACE$RESET"
 echo -e "$OKBLUE============================================$RESET"
diff --git a/webui/index.php b/webui/index.php
index 740d467..42977ea 100644
--- a/webui/index.php
+++ b/webui/index.php
@@ -390,61 +390,64 @@
                         Loot Directory: <code style="color: var(--accent-primary);">/usr/share/sniper/loot/workspace</code>
                     </p>
                 </div>
-            </div>
-        </div>
-    </div>
 
-    <script src="assets/script.js"></script>
-    <script>
-        // Additional inline functions
-        async function updateScanner() {
-            if (!confirm('Update UltyScan to latest version from GitHub?')) return;
+                <!-- Security Warning -->
+                <div style="text-align: center; margin-top: 2rem; padding: 1rem; border-top: 1px solid var(--border-color); color: var(--accent-danger);">
+                    <p style="margin-bottom: 0.5rem; font-weight: 500;">⚠️ SECURITY WARNING</p>
+                    <p style="font-size: 0.9rem; opacity: 0.8;">This utility runs with ROOT privileges. Do NOT expose this interface directly to the internet.<br>Use a VPN or SSH tunnel (e.g. localhost:8888) for access.</p>
+                </div>
 
-            const btn = event.target;
-            btn.disabled = true;
-            btn.textContent = 'Updating...';
+                <script src="assets/script.js"></script>
+                <script>
+                    // Additional inline functions
+                    async function updateScanner() {
+                        if (!confirm('Update UltyScan to latest version from GitHub?')) return;
 
-            showNotification('Pulling latest changes from GitHub...', 'info');
-            try {
-                const response = await fetch('execute.php', {
-                    method: 'POST',
-                    headers: {
-                        'Content-Type': 'application/x-www-form-urlencoded'
-                    },
-                    body: 'action=update'
-                });
-                const result = await response.json();
-                if (result.success) {
-                    showNotification('Updated to commit #' + result.commit + '. Refreshing page...', 'success');
-                    setTimeout(() => window.location.reload(), 2000);
-                } else {
-                    showNotification('Update failed: ' + (result.error || 'Unknown error'), 'error');
-                    btn.disabled = false;
-                    btn.textContent = 'Update UltyScan';
-                }
-            } catch (e) {
-                showNotification('Update failed: ' + e.message, 'error');
-                btn.disabled = false;
-                btn.textContent = 'Update UltyScan';
-            }
-        }
+                        const btn = event.target;
+                        btn.disabled = true;
+                        btn.textContent = 'Updating...';
 
-        async function stopAllScans() {
-            try {
-                await fetch('execute.php', {
-                    method: 'POST',
-                    headers: {
-                        'Content-Type': 'application/x-www-form-urlencoded'
-                    },
-                    body: 'action=stop'
-                });
-                showNotification('Stop signal sent.', 'warning');
-                checkScanStatus();
-            } catch (e) {
-                showNotification('Failed to stop scans.', 'error');
-            }
-        }
-    </script>
+                        showNotification('Pulling latest changes from GitHub...', 'info');
+                        try {
+                            const response = await fetch('execute.php', {
+                                method: 'POST',
+                                headers: {
+                                    'Content-Type': 'application/x-www-form-urlencoded'
+                                },
+                                body: 'action=update'
+                            });
+                            const result = await response.json();
+                            if (result.success) {
+                                showNotification('Updated to commit #' + result.commit + '. Refreshing page...', 'success');
+                                setTimeout(() => window.location.reload(), 2000);
+                            } else {
+                                showNotification('Update failed: ' + (result.error || 'Unknown error'), 'error');
+                                btn.disabled = false;
+                                btn.textContent = 'Update UltyScan';
+                            }
+                        } catch (e) {
+                            showNotification('Update failed: ' + e.message, 'error');
+                            btn.disabled = false;
+                            btn.textContent = 'Update UltyScan';
+                        }
+                    }
+
+                    async function stopAllScans() {
+                        try {
+                            await fetch('execute.php', {
+                                method: 'POST',
+                                headers: {
+                                    'Content-Type': 'application/x-www-form-urlencoded'
+                                },
+                                body: 'action=stop'
+                            });
+                            showNotification('Stop signal sent.', 'warning');
+                            checkScanStatus();
+                        } catch (e) {
+                            showNotification('Failed to stop scans.', 'error');
+                        }
+                    }
+                </script>
 </body>
 
 </html>
\ No newline at end of file