Jump to content

Question about logs


anderbytes

Recommended Posts

anderbytes

I've seen than in "Manage Server > Help > Logs" , where the Logs list can be found... each one can be read and downloaded, OK so far.

 

The problem is: the generated URL's create a persistent authentication-bypass where anyone with that url can directly read this and other logs (simply varying the incremental number)

 

Example: https://www.mydomain.com:8920/emby/System/Logs/Log?name=server-63597366821.txt&api_key=72ef32b64a3c3486842c519dcc75a06e

 

I modified the api_key here in this topic on purpose... or else anyone here would be allowed to download my logs. -_-

 

The problem: your browsing URL can be seen in a different number of places (cumulatively):

- Your local computers, by other users

- A network proxy, if you´re accessing from an office (any IT employee there)

- Your ISP, that in other case would not have that kind of information about your server (any IT employee there)

- NSA (everyone there) ;)

 

So... is it possible that the API_KEY will be hidden and a POST header (session-based) used, instead?

 

Thanks!

Edited by anderbytes
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...