Jump to content

Unauthenticated access over the internet to Logs folder


Go to solution Solved by Luke,

Recommended Posts

Hello,

 

In this thread: http://mediabrowser.tv/community/index.php?/topic/12014-large-library-causing-issues/page-1 it is mentioned the server logfiles are available on the internet without any form of authentication. @@ebr responds to this with:

 

 

The ability to access files directly from your server is a function of your site configuration and really shouldn't have anything to do with MB.

 

I have not changed anything in my site configuration, I've done a standard installation so the installer configured the webserver for me. 

I am able to open my logs folder over the internet without any authentication, so it seems to me Media Browser does this out of the box.

 

To test it, use this link, but include your own hostname (or IP address) and logfilename.

 

http://[HOSTNAME]:8096/mediabrowser/System/Logs/

http://[HOSTNAME]:8096/mediabrowser/System/Logs/log?name=[VALIDLOGFILENAME]

 

Cheers,

 

Danee

Edited by Danee
  • Like 1
Link to post
Share on other sites

I find this a bit worrying. I'm running the server on a WHS 2011 system, and I have deliberately NOT enabled the Remote Web Access feature, so all I expect to see is a placeholder home page like so:

 

5453791d8f8ce_MB323.png

 

...And yet, as Danee says, my MB logs are also being exposed over the internet without any authentication:

 

54537a0c0f48b_MB324.png

 

This does not strike me as being acceptable behaviour.

Link to post
Share on other sites

...And yet, as Danee says, my MB logs are also being exposed over the internet without any authentication:

 

54537a0c0f48b_MB324.png

 

This does not strike me as being acceptable behaviour.

 

Well, actually, you are getting an access denied, but in a very over informative way: AuthenticationException with a full response status, a simple Acces Denied would be preferred.

 

The thing is, I get this:

545380899d422_logs.png

Link to post
Share on other sites

Ah, yes.  I see.  I retract my previous statement as it appears our API is actually what is giving you this access.

  • Like 2
Link to post
Share on other sites

Thanks

 

Ah, yes.  I see.  I retract my previous statement as it appears our API is actually what is giving you this access.

 

Thanks, I hope this hole will be plugged soon :)

Link to post
Share on other sites
  • 2 years later...
Untoten

@@ebr was this ever addressed? (another reason header auth/LDAP/SSO would be nice, so we can use enterprise applications for security)

Edited by Untoten
Link to post
Share on other sites
Untoten

Sounds good, just checking around for any sec issues left open, might want to mark this as answered so people see.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...