WAN Access treated like LAN when "X-Forwarded-For" header is set, allowing login w/o password

February 2, 2020

Hi, I've got a premiere Emby-Server V4.3.1.0 running on Windows with remote connections enabled. It seems that one can trick the server into believing that a request is comming from LAN by setting the "X-Forwarded-For" request header. Testcase: wget --no-check-certificate -O - https://xyz.dyndns.org:8920/Users/authenticatebyname \ --header 'x-emby-authorization: MediaBrowser Client="Emby Web", Device="WGET", DeviceId="XYZ", Version="4.3.1.0"' \ --header 'content-type: application/json'

94 replies