Jump to content


Photo

Unauthenticated access over the internet to Logs folder

security unauthenticated risk logs

Best Answer Luke , 18 June 2017 - 10:40 PM

Yes this is no longer possible.

Go to the full post


  • Please log in to reply
8 replies to this topic

#1 Danee OFFLINE  

Danee

    Advanced Member

  • Members
  • 242 posts
  • Local time: 06:04 PM
  • LocationThe Netherlands

Posted 31 October 2014 - 07:15 AM

Hello,

 

In this thread: http://mediabrowser....g-issues/page-1 it is mentioned the server logfiles are available on the internet without any form of authentication. @ebr responds to this with:

 

 

The ability to access files directly from your server is a function of your site configuration and really shouldn't have anything to do with MB.

 

I have not changed anything in my site configuration, I've done a standard installation so the installer configured the webserver for me. 

I am able to open my logs folder over the internet without any authentication, so it seems to me Media Browser does this out of the box.

 

To test it, use this link, but include your own hostname (or IP address) and logfilename.

 

http://[HOSTNAME]:8096/mediabrowser/System/Logs/

http://[HOSTNAME]:8096/mediabrowser/System/Logs/log?name=[VALIDLOGFILENAME]

 

Cheers,

 

Danee


Edited by Danee, 31 October 2014 - 08:21 AM.

  • Untoten likes this

#2 gcoupe OFFLINE  

gcoupe

    Advanced Member

  • Members
  • 326 posts
  • Local time: 05:04 PM

Posted 31 October 2014 - 08:02 AM

I find this a bit worrying. I'm running the server on a WHS 2011 system, and I have deliberately NOT enabled the Remote Web Access feature, so all I expect to see is a placeholder home page like so:

 

5453791d8f8ce_MB323.png

 

...And yet, as Danee says, my MB logs are also being exposed over the internet without any authentication:

 

54537a0c0f48b_MB324.png

 

This does not strike me as being acceptable behaviour.



#3 Danee OFFLINE  

Danee

    Advanced Member

  • Members
  • 242 posts
  • Local time: 06:04 PM
  • LocationThe Netherlands

Posted 31 October 2014 - 08:29 AM

...And yet, as Danee says, my MB logs are also being exposed over the internet without any authentication:

 

54537a0c0f48b_MB324.png

 

This does not strike me as being acceptable behaviour.

 

Well, actually, you are getting an access denied, but in a very over informative way: AuthenticationException with a full response status, a simple Acces Denied would be preferred.

 

The thing is, I get this:

545380899d422_logs.png



#4 pir8radio OFFLINE  

pir8radio

    NGINX

  • Members
  • 3371 posts
  • Local time: 11:04 AM
  • LocationChicago

Posted 31 October 2014 - 08:43 AM

mine are accessible as well.



#5 ebr OFFLINE  

ebr

    Chief Bottle Washer

  • Administrators
  • 50725 posts
  • Local time: 12:04 PM

Posted 31 October 2014 - 10:10 AM

Ah, yes.  I see.  I retract my previous statement as it appears our API is actually what is giving you this access.


  • Danee and Happy2Play like this

#6 Danee OFFLINE  

Danee

    Advanced Member

  • Members
  • 242 posts
  • Local time: 06:04 PM
  • LocationThe Netherlands

Posted 31 October 2014 - 11:50 AM

Thanks

 

Ah, yes.  I see.  I retract my previous statement as it appears our API is actually what is giving you this access.

 

Thanks, I hope this hole will be plugged soon :)



#7 Untoten OFFLINE  

Untoten

    Advanced Member

  • Members
  • 425 posts
  • Local time: 10:04 AM
  • Locationhttps://emby.media/community/index.php?/topic/26495-centralized-authentication-functionality-ldapssohtml-header/

Posted 18 June 2017 - 10:06 PM

@ebr was this ever addressed? (another reason header auth/LDAP/SSO would be nice, so we can use enterprise applications for security)


Edited by Untoten, 18 June 2017 - 10:07 PM.


#8 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 152563 posts
  • Local time: 12:04 PM

Posted 18 June 2017 - 10:40 PM   Best Answer

Yes this is no longer possible.


  • ebr and Untoten like this

#9 Untoten OFFLINE  

Untoten

    Advanced Member

  • Members
  • 425 posts
  • Local time: 10:04 AM
  • Locationhttps://emby.media/community/index.php?/topic/26495-centralized-authentication-functionality-ldapssohtml-header/

Posted 18 June 2017 - 10:46 PM

Sounds good, just checking around for any sec issues left open, might want to mark this as answered so people see.







Also tagged with one or more of these keywords: security, unauthenticated, risk, logs

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users