Danee 57 Posted October 31, 2014 Share Posted October 31, 2014 (edited) Hello, In this thread: http://mediabrowser.tv/community/index.php?/topic/12014-large-library-causing-issues/page-1 it is mentioned the server logfiles are available on the internet without any form of authentication. @@ebr responds to this with: The ability to access files directly from your server is a function of your site configuration and really shouldn't have anything to do with MB. I have not changed anything in my site configuration, I've done a standard installation so the installer configured the webserver for me. I am able to open my logs folder over the internet without any authentication, so it seems to me Media Browser does this out of the box. To test it, use this link, but include your own hostname (or IP address) and logfilename. http://[HOSTNAME]:8096/mediabrowser/System/Logs/ http://[HOSTNAME]:8096/mediabrowser/System/Logs/log?name=[VALIDLOGFILENAME] Cheers, Danee Edited October 31, 2014 by Danee 1 Link to comment Share on other sites More sharing options...
gcoupe 63 Posted October 31, 2014 Share Posted October 31, 2014 I find this a bit worrying. I'm running the server on a WHS 2011 system, and I have deliberately NOT enabled the Remote Web Access feature, so all I expect to see is a placeholder home page like so: ...And yet, as Danee says, my MB logs are also being exposed over the internet without any authentication: This does not strike me as being acceptable behaviour. Link to comment Share on other sites More sharing options...
Danee 57 Posted October 31, 2014 Author Share Posted October 31, 2014 ...And yet, as Danee says, my MB logs are also being exposed over the internet without any authentication: This does not strike me as being acceptable behaviour. Well, actually, you are getting an access denied, but in a very over informative way: AuthenticationException with a full response status, a simple Acces Denied would be preferred. The thing is, I get this: Link to comment Share on other sites More sharing options...
pir8radio 1289 Posted October 31, 2014 Share Posted October 31, 2014 mine are accessible as well. Link to comment Share on other sites More sharing options...
ebr 14862 Posted October 31, 2014 Share Posted October 31, 2014 Ah, yes. I see. I retract my previous statement as it appears our API is actually what is giving you this access. 2 Link to comment Share on other sites More sharing options...
Danee 57 Posted October 31, 2014 Author Share Posted October 31, 2014 Thanks Ah, yes. I see. I retract my previous statement as it appears our API is actually what is giving you this access. Thanks, I hope this hole will be plugged soon Link to comment Share on other sites More sharing options...
Untoten 295 Posted June 19, 2017 Share Posted June 19, 2017 (edited) @@ebr was this ever addressed? (another reason header auth/LDAP/SSO would be nice, so we can use enterprise applications for security) Edited June 19, 2017 by Untoten Link to comment Share on other sites More sharing options...
Solution Luke 36887 Posted June 19, 2017 Solution Share Posted June 19, 2017 Yes this is no longer possible. 2 Link to comment Share on other sites More sharing options...
Untoten 295 Posted June 19, 2017 Share Posted June 19, 2017 Sounds good, just checking around for any sec issues left open, might want to mark this as answered so people see. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now