Jump to content

Unauthenticated access over the internet to Logs folder

Danee

By Danee
in General/Windows

 Share
Go to solution Solved by Luke,

Recommended Posts

Danee

Danee 57

Posted
Posted (edited)

Hello,

 

In this thread: http://mediabrowser.tv/community/index.php?/topic/12014-large-library-causing-issues/page-1 it is mentioned the server logfiles are available on the internet without any form of authentication. @@ebr responds to this with:

 

 

The ability to access files directly from your server is a function of your site configuration and really shouldn't have anything to do with MB.

 

I have not changed anything in my site configuration, I've done a standard installation so the installer configured the webserver for me. 

I am able to open my logs folder over the internet without any authentication, so it seems to me Media Browser does this out of the box.

 

To test it, use this link, but include your own hostname (or IP address) and logfilename.

 

http://[HOSTNAME]:8096/mediabrowser/System/Logs/

http://[HOSTNAME]:8096/mediabrowser/System/Logs/log?name=[VALIDLOGFILENAME]

 

Cheers,

 

Danee

Edited by Danee
  • Like 1
gcoupe

gcoupe 63

Posted
Posted

I find this a bit worrying. I'm running the server on a WHS 2011 system, and I have deliberately NOT enabled the Remote Web Access feature, so all I expect to see is a placeholder home page like so:

 

5453791d8f8ce_MB323.png

 

...And yet, as Danee says, my MB logs are also being exposed over the internet without any authentication:

 

54537a0c0f48b_MB324.png

 

This does not strike me as being acceptable behaviour.

Danee

Danee 57

Posted
  • Author
Posted

...And yet, as Danee says, my MB logs are also being exposed over the internet without any authentication:

 

54537a0c0f48b_MB324.png

 

This does not strike me as being acceptable behaviour.

 

Well, actually, you are getting an access denied, but in a very over informative way: AuthenticationException with a full response status, a simple Acces Denied would be preferred.

 

The thing is, I get this:

545380899d422_logs.png

pir8radio

pir8radio 1305

Posted
Posted

mine are accessible as well.

ebr Emby Team

ebr 15650

Posted
Posted

Ah, yes.  I see.  I retract my previous statement as it appears our API is actually what is giving you this access.

  • Like 2
Danee

Danee 57

Posted
  • Author
Posted

Thanks

 

Ah, yes.  I see.  I retract my previous statement as it appears our API is actually what is giving you this access.

 

Thanks, I hope this hole will be plugged soon :)

  • 2 years later...
Untoten

Untoten 303

Posted
Posted (edited)

@@ebr was this ever addressed? (another reason header auth/LDAP/SSO would be nice, so we can use enterprise applications for security)

Edited by Untoten
  • Solution
Luke Emby Team

Luke 40006

Posted
  • Solution
Posted

Yes this is no longer possible.

  • Like 2
Untoten

Untoten 303

Posted
Posted

Sounds good, just checking around for any sec issues left open, might want to mark this as answered so people see.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...