Jump to content


Photo

Security vulnerabilities And Bug

bugs

  • Please log in to reply
9 replies to this topic

#1 jpsn OFFLINE  

jpsn

    Newbie

  • Members
  • 1 posts
  • Local time: 08:52 AM

Posted 11 March 2020 - 08:39 PM

vul:  Non-administrative users can access /web/index.html#!/dashboard page to view the activities of other users and control their behavior.

bug:  The Mov format(iphone HEIC and MOV photo) video in the album is playing most of the time incorrectly, indicating that there is currently no compatible stream.



#2 Happy2Play OFFLINE  

Happy2Play

    Trial and Error

  • Moderators
  • 19116 posts
  • Local time: 05:52 PM
  • LocationWashington State

Posted 11 March 2020 - 09:00 PM

Yes knowing urls can get you places you shouldn't be. Only thing I see you can affect is Active Device controls.  And obviously see the server WAN and LAN info.  You do not have access to Activities section or log.  

 

I guess you can access the API, but they would get "User does not have admin access" when trying any endpoint.

 

Also you should make different topics for different issues as the additional issue usually gets lost.


Edited by Happy2Play, 11 March 2020 - 09:00 PM.

  • jpsn likes this

#3 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 156704 posts
  • Local time: 08:52 PM

Posted 11 March 2020 - 09:02 PM

Hi there, thanks for reporting. We'll take a look at this.

Regarding the mov file, please see how to report a media playback issue:
https://emby.media/c...port-a-problem/
Thanks!
  • jpsn likes this

#4 Q-Droid OFFLINE  

Q-Droid

    Advanced Member

  • Members
  • 503 posts
  • Local time: 08:52 PM

Posted 12 March 2020 - 10:39 AM

...
And obviously see the server WAN and LAN info.
...


Unfortunately, anyone who can reach your server URL can get this info.

#5 ebr OFFLINE  

ebr

    Chief Bottle Washer

  • Administrators
  • 51887 posts
  • Local time: 08:52 PM

Posted 12 March 2020 - 10:45 AM

Unfortunately, anyone who can reach your server URL can get this info.

 

Anyone who reaches your server URL already has that information, though, correct...?


  • rechigo likes this

#6 Q-Droid OFFLINE  

Q-Droid

    Advanced Member

  • Members
  • 503 posts
  • Local time: 08:52 PM

Posted 12 March 2020 - 10:58 AM

Anyone who reaches your server URL already has that information, though, correct...?


LAN, WAN, hostname and Emby version. No login required.

#7 ebr OFFLINE  

ebr

    Chief Bottle Washer

  • Administrators
  • 51887 posts
  • Local time: 08:52 PM

Posted 12 March 2020 - 11:01 AM

LAN, WAN, hostname and Emby version. No login required.

 

Right - but the only way they got there to see that was by already knowing the information they are looking at (other than the LAN address and version which are of no value I can think of).

 

We're working on closing this up but the particular things you are pointing out here don't really seem to be an issue because you're basically saying that anyone at your house can find out your address...


  • rechigo and jpsn like this

#8 Q-Droid OFFLINE  

Q-Droid

    Advanced Member

  • Members
  • 503 posts
  • Local time: 08:52 PM

Posted 12 March 2020 - 11:07 AM

Right - but the only way they got there to see that was by already knowing the information they are looking at (other than the LAN address and version which are of no value I can think of).

We're working on closing this up but the particular things you are pointing out here don't really seem to be an issue because you're basically saying that anyone at your house can find out your address...


Anyone anywhere if your server is configured for remote access.

#9 ebr OFFLINE  

ebr

    Chief Bottle Washer

  • Administrators
  • 51887 posts
  • Local time: 08:52 PM

Posted 12 March 2020 - 11:10 AM

Anyone anywhere if your server is configured for remote access.

 

Sorry, I don't understand what you are saying there but your objection here is that anyone that has your server url can see your server url.

 

That is true but I can't see what the additional vulnerability is there.  They can look in the browser address bar and see the same thing...


  • jpsn likes this

#10 Q-Droid OFFLINE  

Q-Droid

    Advanced Member

  • Members
  • 503 posts
  • Local time: 08:52 PM

Posted 12 March 2020 - 11:21 AM

Sorry, I don't understand what you are saying there but your objection here is that anyone that has your server url can see your server url.

That is true but I can't see what the additional vulnerability is there. They can look in the browser address bar and see the same thing...

What I'm saying is that anyone who can discover your public Emby IP and port can then obtain your LAN IP, server hostname and Emby version.

Edit: and public domain.

Edited by Q-Droid, 12 March 2020 - 11:25 AM.






Also tagged with one or more of these keywords: bugs

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users