Jump to content
Danee

ANSWERED Unauthenticated access over the internet to Logs folder

Recommended Posts

Danee

Hello,

 

In this thread: http://mediabrowser.tv/community/index.php?/topic/12014-large-library-causing-issues/page-1 it is mentioned the server logfiles are available on the internet without any form of authentication. @@ebr responds to this with:

 

 

The ability to access files directly from your server is a function of your site configuration and really shouldn't have anything to do with MB.

 

I have not changed anything in my site configuration, I've done a standard installation so the installer configured the webserver for me. 

I am able to open my logs folder over the internet without any authentication, so it seems to me Media Browser does this out of the box.

 

To test it, use this link, but include your own hostname (or IP address) and logfilename.

 

http://[HOSTNAME]:8096/mediabrowser/System/Logs/

http://[HOSTNAME]:8096/mediabrowser/System/Logs/log?name=[VALIDLOGFILENAME]

 

Cheers,

 

Danee

Edited by Danee
  • Like 1

Share this post


Link to post
Share on other sites
gcoupe

I find this a bit worrying. I'm running the server on a WHS 2011 system, and I have deliberately NOT enabled the Remote Web Access feature, so all I expect to see is a placeholder home page like so:

 

5453791d8f8ce_MB323.png

 

...And yet, as Danee says, my MB logs are also being exposed over the internet without any authentication:

 

54537a0c0f48b_MB324.png

 

This does not strike me as being acceptable behaviour.

Share this post


Link to post
Share on other sites
Danee

...And yet, as Danee says, my MB logs are also being exposed over the internet without any authentication:

 

54537a0c0f48b_MB324.png

 

This does not strike me as being acceptable behaviour.

 

Well, actually, you are getting an access denied, but in a very over informative way: AuthenticationException with a full response status, a simple Acces Denied would be preferred.

 

The thing is, I get this:

545380899d422_logs.png

Share this post


Link to post
Share on other sites
pir8radio

mine are accessible as well.

Share this post


Link to post
Share on other sites
ebr

Ah, yes.  I see.  I retract my previous statement as it appears our API is actually what is giving you this access.

  • Like 2

Share this post


Link to post
Share on other sites
Danee

Thanks

 

Ah, yes.  I see.  I retract my previous statement as it appears our API is actually what is giving you this access.

 

Thanks, I hope this hole will be plugged soon :)

Share this post


Link to post
Share on other sites
Untoten

@@ebr was this ever addressed? (another reason header auth/LDAP/SSO would be nice, so we can use enterprise applications for security)

Edited by Untoten

Share this post


Link to post
Share on other sites
Luke

Yes this is no longer possible.

  • Like 2

Share this post


Link to post
Share on other sites
Untoten

Sounds good, just checking around for any sec issues left open, might want to mark this as answered so people see.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...