Security Issue? with easy pin code / local network detection

[Komso123 0]

Hi,

 

im using Emby Version 3.2.35.0 running in a docker container on Unraid (version 6.4.0-rc9f).

Using the official docker container (https://registry.hub.docker.com/u/emby/embyserver/)

 

For local access im was using the easy pin code feature without a pin so i can login to emby locally without user authentication.

Recently i moved my server to another location and therefore i have set up remote access (http, port 8096, built in remote access) and discovered that im able to login without password. Then i tried to connect using a different internet access and i had to login with user/password as it is supposed to.

 

So i looked at the logs and the only diffrence i discoverd was the external ip adress. There is nothing in the logs that indicates if the login happened with user/password or with easy ping locally.

 

My server uses the local ip adress: 192.168.0.250 (subnetmask 255.255.255.0).

My client with external ip:213.225.8.x -> login worked as supposed, login only possible with user and password

My client with external ip:192.164.84.x-> login possible without using password 

 

The only way i can explain this behavior is that ther server incorrectly identifies my external ip as a local adress.  

 

But only 192.168.0.0 – 192.168.255.255 (192.168.0.0/16 (255.255.0.0)) is by RFC standard reserved fo local networks, for example 192.164.x.x is a public ip.

 

 

I dont know how the local network detection in emby works and how it figures out the local subnet. maybe there should be a manual config where the user can define the local subnet.

 

Maybe im missing something, but i think this is a bug. 

 

/serverlog:

my client with external ip:213.225.8.x -> login worked as supposed, login only possible with user and password https://pastebin.com/Dfi68Si9

 

my client with external ip:192.164.84.x-> login possible without using password

https://pastebin.com/UGvYBVRy

Edited November 1, 2017 by Komso123

[Luke 37109]

Hi, yes thanks this looks like a defect. We'll resolve this for the next release, thanks !

[Komso123 0]

glad i could help.

thx for the fast reply.

[Komso123 0]

hi, just for info, the problem still exists in the current version 3.2.60.0.

[Luke 37109]

Can you provide a server log from when it happens? I think right now our local detection is pretty good but it's obviously hard to guarantee perfection with all of the possible network setups that can exist. If you fall into that category then you may just want to not use the pin feature.