mobstef 1 Posted August 8, 2023 Share Posted August 8, 2023 Why am I able to download images as unauthenticated user? Seems like major security flaw. curl -v 'http://localhost:8096/emby/Items/337/Images/Primary' * processing: http://localhost:8096/emby/Items/337/Images/Primary * Trying [::1]:8096... * Connected to localhost (::1) port 8096 > GET /emby/Items/337/Images/Primary HTTP/1.1 > Host: localhost:8096 > User-Agent: curl/8.2.1 > Accept: */* > < HTTP/1.1 200 OK < Content-Length: 16547 < Content-Type: image/jpeg < Date: Tue, 08 Aug 2023 03:25:09 GMT < Server: UPnP/1.0 DLNADOC/1.50 < Accept-Ranges: bytes < Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, Slug, Transfer-Encoding, Want-Digest, X-MediaBrowser-Token, X-Emby-Token, X-Emby-Client, X-Emby-Client-Version, X-Emby-Device-Id, X-Emby-Device-Name, X-Emby-Authorization < Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS < Access-Control-Allow-Origin: * < Cache-Control: public < ETag: "b98cc27289a45fcbf1221e7cb04f8888" < Vary: Accept < Access-Control-Allow-Private-Network: true < transferMode.dlna.org: Interactive < realTimeInfo.dlna.org: DLNA.ORG_TLAG=* I can do exactly the same from remote (through reverse proxy). Checked on 4.7.11, 4.7.12, 4.7.13, 4.8.0.40. Link to comment Share on other sites More sharing options...
pektoral 17 Posted August 8, 2023 Share Posted August 8, 2023 Hi mobstef, this is already known since a long time, till today there is no fix for this. Just fixed this by myself trough nginx reverse proxy redirection and processing. (IP based authentication) So all my images are just shown to people there are authenticated on my server. Thats enough security for me.... Kind Regards pektoral Link to comment Share on other sites More sharing options...
Luke 37179 Posted August 8, 2023 Share Posted August 8, 2023 Hi, yes we're going to get this changed. It's just something we have to plan out because obviously, it's going to be breaking. Link to comment Share on other sites More sharing options...
mobstef 1 Posted August 25, 2023 Author Share Posted August 25, 2023 Thanks for replies guys. If emby is insecure by design maybe the way to go for now would be to secure it externally (i.e. proxy or reverse proxy). The problem I see is for example Android client does not understand HTTP Basic Authentication nor has proxy support, but browsers do. Link to comment Share on other sites More sharing options...
Luke 37179 Posted August 25, 2023 Share Posted August 25, 2023 4 hours ago, mobstef said: Thanks for replies guys. If emby is insecure by design maybe the way to go for now would be to secure it externally (i.e. proxy or reverse proxy). The problem I see is for example Android client does not understand HTTP Basic Authentication nor has proxy support, but browsers do. Emby is not insecure by design. It is just this one thing related to images that we'll need to delicately plan out how and when we're going to change it. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now