mobstef 1 Posted August 8, 2023 Posted August 8, 2023 Why am I able to download images as unauthenticated user? Seems like major security flaw. curl -v 'http://localhost:8096/emby/Items/337/Images/Primary' * processing: http://localhost:8096/emby/Items/337/Images/Primary * Trying [::1]:8096... * Connected to localhost (::1) port 8096 > GET /emby/Items/337/Images/Primary HTTP/1.1 > Host: localhost:8096 > User-Agent: curl/8.2.1 > Accept: */* > < HTTP/1.1 200 OK < Content-Length: 16547 < Content-Type: image/jpeg < Date: Tue, 08 Aug 2023 03:25:09 GMT < Server: UPnP/1.0 DLNADOC/1.50 < Accept-Ranges: bytes < Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, Slug, Transfer-Encoding, Want-Digest, X-MediaBrowser-Token, X-Emby-Token, X-Emby-Client, X-Emby-Client-Version, X-Emby-Device-Id, X-Emby-Device-Name, X-Emby-Authorization < Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS < Access-Control-Allow-Origin: * < Cache-Control: public < ETag: "b98cc27289a45fcbf1221e7cb04f8888" < Vary: Accept < Access-Control-Allow-Private-Network: true < transferMode.dlna.org: Interactive < realTimeInfo.dlna.org: DLNA.ORG_TLAG=* I can do exactly the same from remote (through reverse proxy). Checked on 4.7.11, 4.7.12, 4.7.13, 4.8.0.40.
pektoral 22 Posted August 8, 2023 Posted August 8, 2023 Hi mobstef, this is already known since a long time, till today there is no fix for this. Just fixed this by myself trough nginx reverse proxy redirection and processing. (IP based authentication) So all my images are just shown to people there are authenticated on my server. Thats enough security for me.... Kind Regards pektoral
Luke 42077 Posted August 8, 2023 Posted August 8, 2023 Hi, yes we're going to get this changed. It's just something we have to plan out because obviously, it's going to be breaking.
mobstef 1 Posted August 25, 2023 Author Posted August 25, 2023 Thanks for replies guys. If emby is insecure by design maybe the way to go for now would be to secure it externally (i.e. proxy or reverse proxy). The problem I see is for example Android client does not understand HTTP Basic Authentication nor has proxy support, but browsers do.
Luke 42077 Posted August 25, 2023 Posted August 25, 2023 4 hours ago, mobstef said: Thanks for replies guys. If emby is insecure by design maybe the way to go for now would be to secure it externally (i.e. proxy or reverse proxy). The problem I see is for example Android client does not understand HTTP Basic Authentication nor has proxy support, but browsers do. Emby is not insecure by design. It is just this one thing related to images that we'll need to delicately plan out how and when we're going to change it.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now