Jump to content


Photo
- - - - -

ثغرة يجب سدها للمستخدم


  • This topic is locked This topic is locked
3 replies to this topic

#1 younessesoft OFFLINE  

younessesoft

    Newbie

  • Members
  • 4 posts
  • Local time: 07:30 AM

Posted 30 January 2020 - 06:24 PM

السلام عليكم ورحمة الله تعالى وبركاته يوجد ثغرة واللي هي أن المستخدم يمكنه إستخدام برامج التعقب زي ال httpdebugger وال برنامج fiddler

مثلا عند الضغط على القاناة 

 

http://188.227.58.45...itrate=10000000

راح يجي جواب جيزون زي هذا مثلا 

 

 

{
"MediaSources" : [
{
"Bitrate" : 4701564,
"Container" : "mp4",
"DefaultAudioStreamIndex" : 1,
"Formats" : [],
"Id" : "xxxxxxxx",
"IsInfiniteStream" : true,
"IsRemote" : true,
"LiveStreamId" : "060422ce6fdf19fc9ecfaaeb4_01413a525b3a96642d7a329",
"MediaStreams" : [
{
"AspectRatio" : "16:9",
"AverageFrameRate" : 29,00000000000000,
"BitDepth" : 8,
"BitRate" : 4499145,
"Codec" : "h264",
"CodecTag" : "avc1",
"CodecTimeBase" : "15868574/951162363",
"ColorPrimaries" : "bt709",
"ColorSpace" : "bt709",
"ColorTransfer" : "bt709",
"DisplayTitle" : "720p H264",
"Height" : 720,
"Index" : 0,
"IsAVC" : true,
"IsAnamorphic" : false,
"IsDefault" : true,
"IsExternal" : false,
"IsForced" : false,
"IsInterlaced" : false,
"IsTextSubtitleStream" : false,
"Language" : "und",
"Level" : 40,
"NalLengthSize" : "4",
"PixelFormat" : "yuv420p",
"Profile" : "Main",
"Protocol" : "File",
"RealFrameRate" : 29,00000000000000,
"RefFrames" : 1,
"SupportsExternalStream" : false,
"TimeBase" : "1/90000",
"Type" : "Video",
"VideoRange" : "SDR",
"Width" : 1280
},
{
"BitRate" : 192005,
"ChannelLayout" : "stereo",
"Channels" : 2,
"Codec" : "aac",
"CodecTag" : "mp4a",
"CodecTimeBase" : "1/48000",
"DisplayTitle" : "Und AAC stereo (Default)",
"Index" : 1,
"IsDefault" : true,
"IsExternal" : false,
"IsForced" : false,
"IsInterlaced" : false,
"IsTextSubtitleStream" : false,
"Language" : "und",
"Profile" : "LC",
"Protocol" : "File",
"SampleRate" : 48000,
"SupportsExternalStream" : false,
"TimeBase" : "1/48000",
"Type" : "Audio"
}
],
"Path" : "http://my.hoste.com:...ggg/178714.m3u",
"Protocol" : "Http",
"ReadAtNativeFramerate" : false,
"RequiredHttpHeaders" : {
"User-Agent" : "VLC/3.0.1"
},
"RequiresClosing" : true,
"RequiresLooping" : true,
"RequiresOpening" : true,
"Size" : 4343613479,
"SupportsDirectPlay" : false,
"SupportsDirectStream" : false,
"SupportsProbing" : false,
"SupportsTranscoding" : true,
"TranscodingContainer" : "ts",
"TranscodingSubProtocol" : "hls",
"TranscodingUrl" : "/videos/12527/master.m3u8",
"Type" : "Default"
}
],
"PlaySessionId" : "3923097cd6e2064d0e4"
}

كما تلاحظون للأسف ظهور الرابط الأساسي للبث وهكذا سوف يتم سرقته وأستغلاله مباشرة

  "Path" : "http://my.hoste.com:...gg/178714.m3u",

 

 

اللي يعرف طريقة حذف هذا الجزئ على المستخدم يخبرنا أو يجب التعديل في التحديث القادم لأنها ثغرة وللأسف مدمرة تماما ولا يمكن الوثوق في البوابة الامبي لطالما لم تغلق هذه الثغرة وشكرا



#2 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 149390 posts
  • Local time: 01:30 AM

Posted 31 January 2020 - 01:10 AM

@Abobader


  • Abobader likes this

#3 Abobader OFFLINE  

Abobader

    Super-Tester

  • Administrators
  • 9463 posts
  • Local time: 09:30 AM

Posted 31 January 2020 - 05:58 AM

وعليكم السلام ورحمة الله

 

شكرا على المعلومة, وحقيقة انا لا استخدم هذا النظام ولكن ساوصل المعلومة اليوم الى المطورين واقوم بالرد عليك هنا

 

تحياتى



#4 Abobader OFFLINE  

Abobader

    Super-Tester

  • Administrators
  • 9463 posts
  • Local time: 09:30 AM

Posted 31 January 2020 - 02:09 PM

https://emby.media/c...-user/?p=838207






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users