Jooki 3 Posted December 12, 2019 Share Posted December 12, 2019 (edited) at our own risc, of course.It has a serious vulnerability, it can be easily used maliciously, say that the random russian/chinese scan down your server and find out that they can access the 8096 port, they get in and they see a series of usernames all passprotected, then they get into forget password and introduce any of said usernames, each creates a file in our servers, a simple script can automate that and if runned indefinetly it can easily and quickly flood the hard drive.There is no chance that I as Sysadmin forget my goddamn passwords anyway... Edited December 12, 2019 by Jooki 2 Link to comment Share on other sites More sharing options...
PenkethBoy 2063 Posted December 12, 2019 Share Posted December 12, 2019 you can disable users appearing on the login screen - both LAN and WAN - which means that somebody has to know the username before they try and login not the same but close Link to comment Share on other sites More sharing options...
Jooki 3 Posted December 12, 2019 Author Share Posted December 12, 2019 (edited) you can disable users appearing on the login screen - both LAN and WAN - which means that somebody has to know the username before they try and login not the same but close I know, please understand that I don't want to do that its as simple as someone coming in and introducing "admin", or "administrator" in the user field you see... yes, i can use "hashministrator" or whatever instead but... seems a bit silly doesnt it? Edited December 12, 2019 by Jooki Link to comment Share on other sites More sharing options...
PenkethBoy 2063 Posted December 12, 2019 Share Posted December 12, 2019 Why not? its more secure than just leaving usernames etc open to script kiddies hammering your server - IIRC the hide users was a measure brought in to help prevent attacks - if you must open your server to the unwashed internet Link to comment Share on other sites More sharing options...
Jooki 3 Posted December 12, 2019 Author Share Posted December 12, 2019 (edited) Why not? 1. I don't need to explain my reasons. its more secure than just leaving usernames etc open to script kiddies hammering your server 2. as i said, them kids can still brute force "admin" or "administrator" or just script the alphabet or the dictionary and eventually find "hashministrator" or watnot. 3. its undeniable that the most and 100% secure way is to just hide the "Forgot password" button. Edited December 12, 2019 by Jooki Link to comment Share on other sites More sharing options...
PenkethBoy 2063 Posted December 12, 2019 Share Posted December 12, 2019 LOL Link to comment Share on other sites More sharing options...
Jooki 3 Posted December 12, 2019 Author Share Posted December 12, 2019 you've been real useful, thank you for your help. 1 Link to comment Share on other sites More sharing options...
jaycedk 386 Posted December 13, 2019 Share Posted December 13, 2019 (edited) You could try custom css. https://emby.media/community/index.php?/topic/62730-custom-login-screen-fixed/page-2?hl=%2Bhide+%2Bforgot+%2Bpassword&do=findComment&comment=736784 But that will only work on the web client. Edited December 13, 2019 by jaycedk 1 Link to comment Share on other sites More sharing options...
chef 3746 Posted December 13, 2019 Share Posted December 13, 2019 (edited) here is a mutation observer global function you add to the scripts folder in the webapp: (function(win) { 'use strict'; var listeners = [], doc = win.document, MutationObserver = win.MutationObserver || win.WebKitMutationObserver, observer; function ready(selector, fn) { // Store the selector and callback to be monitored listeners.push({ selector: selector, fn: fn }); if (!observer) { // Watch for changes in the document observer = new MutationObserver(function(mutations) { check() }); observer.observe(doc.documentElement, { childList: true, subtree: true, attributes: true, attributeOldValue: true, }); } // Check if the element is currently in the DOM check(); } function check() { // Check the DOM for elements matching a stored selector for (var i = 0, len = listeners.length, listener, elements; i < len; i++) { listener = listeners[i]; // Query for elements matching the specified selector elements = doc.querySelectorAll(listener.selector); for (var j = 0, jLen = elements.length, element; j < jLen; j++) { element = elements[j]; // Make sure the callback isn't invoked with the // same element more than once if (!element.ready) { element.ready = true; // Invoke the callback with the element listener.fn.call(element, element); } } } } // Expose `ready` win.ready = ready; })(this); add the Script to the DOM by adding reference to the mutation script right under apploader.js: <script src="scripts/mutation.js"></script> in the index.html create <script> tags right before the </body> tag and add this code: <script> ready('.cardScalable[data-type="ForgotPassword"]', (element) => { element.parentNode.removeChild(element); }) </script> Now when ever that forgot pass word button is created in the web app, it is then removed. This code needs testing, but you get the idea. Edited December 13, 2019 by chef Link to comment Share on other sites More sharing options...
dcol 165 Posted December 30, 2020 Share Posted December 30, 2020 I would also like to see this as it is a security risk. Also have option to remove manual login in the sign in page. Only the admin should have full control over the users login page. The above script would only work until you applied an update. Should be an admin user setting option. Link to comment Share on other sites More sharing options...
crusher11 854 Posted December 31, 2020 Share Posted December 31, 2020 I'd also like to see this option, but in my case because I don't use Emby Connect so it doesn't actually do anything except confuse users. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now