Unauthenticated API can create/restore files in system - show user information - [ACTION REQUIRED]

[michnmi 8]

Hi all, 

I have a question

I can see in the swagger packages on my server (i.e. here http://swagger.emby.media/?url=http://emby_test:8096/openapi&api_key=blahblah#/ProfileHandler) that I can use  the following commands without any authentication 
 

GET
/MBBackup/Backups
DELETE
/MBBackup/Backups
POST
/MBBackup/Profiles/Backup
POST
/MBBackup/Profiles/Restore

This is really scaring me. 
I've also tried it myself 
I can definitely restore and create a Backup just by knowing my server's endpoint. 

I can also list backups. Which then in turn shows everything. 

Usernames / backup paths etc etc 

Can someone please look into this ? 
How can we disable this ? I have been looking for a way to stop this from happening from within EMBY , but I can't. 

MM
 

[PenkethBoy 1712]

if you are that worried - uninstall the server backup config plugin and the endpoints will disappear

[michnmi Topic Author 8]

Hi @PenkethBoy,

Thank you so much for your reply. 

Since the backup/restore plugin though is a very useful plugin I'd like to keep using it.

I have ways of blocking this from happening but I this is indeed something that should be solved in the API level. Uninstalling the plugin is not a good enough way of dealing with the issue. 

[Luke 25060]

We'll push an update to the plugin to resolve this. Thanks.

[michnmi Topic Author 8]

Thanks @Luke!!

MM