pir8radio 1312 Posted March 11, 2015 Posted March 11, 2015 I have a guest user setup with no privileges, though the links are hidden from the GUI this user can still type in /web/edititemmetadata.html and edit metadata, same goes for user preferences... I have yet to test this bypassing the reverse proxy, i hope that's the issue. Otherwise the security settings don't do anything if your familiar with the media browser paths. Can someone confirm or deny please.
Rowlett 9 Posted March 11, 2015 Posted March 11, 2015 i've just tried today without using reverse proxy and also get same results - a user with guest access using direct links (like the one you posted) was able to access everything
pir8radio 1312 Posted March 13, 2015 Author Posted March 13, 2015 (edited) Is this something that we can get fixed in the next release? Pretty please? Edited March 13, 2015 by pir8radio
pir8radio 1312 Posted March 14, 2015 Author Posted March 14, 2015 Just a BUMP reminder, I can not open my server to the general public if they can bypass security settings and change my files, or edit their user profile. I will continue to search for some holes, if i find many more ill just make a new thread...
pir8radio 1312 Posted March 20, 2015 Author Posted March 20, 2015 @@Luke @@ebr These security holes are still in the new beta.
Luke 42080 Posted March 20, 2015 Posted March 20, 2015 the api is secure, and that will prevent them from making any changes. it's just the html and that will be looked at in a future release
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now