strugglez 8 Posted July 11, 2024 Posted July 11, 2024 Hi there, I've just recently discovered a non admin user can go to /web/index.html#!/dashboard once authenticated and essentially reload the page with the URL and still shutdown/restart the server and see active streams. Am I missing something? I've disabled admin and remote control for this user. 1
darkassassin07 540 Posted July 11, 2024 Posted July 11, 2024 (edited) Hmm, In my testing, I can load the dashboard page with a non-admin user however only the top section containing the server name, version, and lan/wan urls actually loads (info the clients already have), as well as the progress bars for any running tasks (this is new info to non-admins). The rest of the page is empty. When clicking the shutdown/reload buttons, the client proceeds to ask if you're sure, then presents the 'restarting emby server' popup+loading wheel. The server does not actually perform the action though, and the log file shows it responding '403 forbidden' to the requests. This is also true for changing the server name. (you can appear to in the client, but the server 403s it and doesn't perform the action) While this doesn't reveal a whole lot of new info, non-admins still shouldn't be able to get this far I would think. Edited July 11, 2024 by darkassassin07
CBers 6962 Posted July 11, 2024 Posted July 11, 2024 (edited) Confirmed here. A non-Admin account can go to server/web/index.html#!/dashboard and restart and shutdown the server. Can't do much else. Edited July 11, 2024 by CBers
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now