Jump to content

Unauthenticated API can create/restore files in system - show user information - [ACTION REQUIRED]

michnmi

By michnmi
in Developer API

 Share

Recommended Posts

michnmi

michnmi 10

Posted
Posted

Hi all, 

I have a question

I can see in the swagger packages on my server (i.e. here http://swagger.emby.media/?url=http://emby_test:8096/openapi&api_key=blahblah#/ProfileHandler) that I can use  the following commands without any authentication 
  

GET
/MBBackup/Backups
DELETE
/MBBackup/Backups
POST
/MBBackup/Profiles/Backup
POST
/MBBackup/Profiles/Restore

This is really scaring me. 
I've also tried it myself 
I can definitely restore and create a Backup just by knowing my server's endpoint. 

I can also list backups. Which then in turn shows everything. 

Usernames / backup paths etc etc 

Can someone please look into this ? 
How can we disable this ? I have been looking for a way to stop this from happening from within EMBY , but I can't. 

MM
 

  • Like 1
PenkethBoy

PenkethBoy 2066

Posted
Posted

if you are that worried - uninstall the server backup config plugin and the endpoints will disappear

michnmi

michnmi 10

Posted
  • Author
Posted

Hi @PenkethBoy,

Thank you so much for your reply. 

Since the backup/restore plugin though is a very useful plugin I'd like to keep using it.

I have ways of blocking this from happening but I this is indeed something that should be solved in the API level. Uninstalling the plugin is not a good enough way of dealing with the issue. 

Luke Emby Team

Luke 40120

Posted
Posted

We'll push an update to the plugin to resolve this. Thanks.

  • Like 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...