anderbytes 140 Posted April 27, 2016 Posted April 27, 2016 (edited) I've seen than in "Manage Server > Help > Logs" , where the Logs list can be found... each one can be read and downloaded, OK so far. The problem is: the generated URL's create a persistent authentication-bypass where anyone with that url can directly read this and other logs (simply varying the incremental number) Example: https://www.mydomain.com:8920/emby/System/Logs/Log?name=server-63597366821.txt&api_key=72ef32b64a3c3486842c519dcc75a06e I modified the api_key here in this topic on purpose... or else anyone here would be allowed to download my logs. The problem: your browsing URL can be seen in a different number of places (cumulatively): - Your local computers, by other users - A network proxy, if you´re accessing from an office (any IT employee there) - Your ISP, that in other case would not have that kind of information about your server (any IT employee there) - NSA (everyone there) So... is it possible that the API_KEY will be hidden and a POST header (session-based) used, instead? Thanks! Edited April 27, 2016 by anderbytes
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now