Oceanus 6 Posted December 29, 2020 Author Posted December 29, 2020 (edited) On 12/26/2020 at 9:56 PM, cayars said: The "vulnerability" in itself is that a non-admin can get to any admin section (regardless of what they can see or change). exactly! Edited December 29, 2020 by Oceanus
Thomas64 40 Posted January 8, 2021 Posted January 8, 2021 (edited) Could this be associated with a User who is NOT set to "Allow this user to manage the server" still seeing the "Manage Emby Server" icon in the Web Interface? Should the "Manage Emby Server" Icon even be there for a user not enabled to do so? Maybe there is some shared code/logic at work allowing both situations to happen? The user I am logged in as to get this screen snip is NOT allowed to manage the server - but still gets the Icon.. In this instance, the "Manage Emby Server" icon ends up just giving the same exact options as the normal Settings Icon - which makes one of them redundant. For a User who IS allowed to manage the server - both the normal Settings Icon and "Manage Emby Server" Icon give the exact same options (to change user settings AND manage the server). The Emby Server Icon just takes you directly to the Dashboard first. Edited January 8, 2021 by Thomas64
Happy2Play 9834 Posted January 8, 2021 Posted January 8, 2021 (edited) 19 minutes ago, Thomas64 said: Could this be associated with a User who is NOT set to "Allow this user to manage the server" still seeing the "Manage Emby Server" icon in the Web Interface? Should the "Manage Emby Server" Icon even be there for a user not enabled to do so? Maybe there is some shared code/logic at work allowing both situations to happen? The user I am logged in as to get this screen snip is NOT allowed to manage the server - but still gets the Icon.. In this instance, the "Manage Emby Server" icon ends up just giving the same exact options as the normal Settings Icon - which makes one of them redundant. For a User who IS allowed to manage the server - both the normal Settings Icon and "Manage Emby Server" Icon give the exact same options (to change user settings AND manage the server). The Emby Server Icon just takes you directly to the Dashboard first. Unless there is a browser cache issue I have never seen a user that does not have "Allow this user to manage the server" enabled have the option displayed on screen. Looks like this is a change that I just never noticed. But does not show any dashboard stuff. But the issue in this topic is users using urls to get to said locations. Edited January 8, 2021 by Happy2Play
Carlo 4561 Posted January 8, 2021 Posted January 8, 2021 You and me both Happ2Play. I've never held the mouse over the icon to pull up the description. That might however be better with a tooltip such as "Configuration" vs "Manage Emby Server".
Thomas64 40 Posted January 8, 2021 Posted January 8, 2021 (edited) 21 hours ago, Happy2Play said: But the issue in this topic is users using urls to get to said locations. Gotcha'... Was just thinking maybe the underlying coding was allowing both situations to happen. Edited January 8, 2021 by Thomas64
maximumentropy 34 Posted May 9 Posted May 9 I've been revisiting old threads in which I had participated, doing some cleanup of my followed content here. This issue seems to be mostly, but not completely, mitigated in the current server version I'm running (4.9.3.0). When I visit the dashboard URL as an unprivileged local user, I can see a few elements, which are mostly non-functional - such as "Change server display name", "View server info", and "Emby Premiere" (it doesn't show the key). Unfortunately, I also see the power button, and both "Restart Emby Server" and "Shutdown Emby Server" are live and functional, allowing a local denial of service. Can this be addressed? Thanks!
Luke 42528 Posted May 9 Posted May 9 2 hours ago, maximumentropy said: Unfortunately, I also see the power button, and both "Restart Emby Server" and "Shutdown Emby Server" are live and functional, allowing a local denial of service. Unless they are directly on the server machine then it shouldn't work.
maximumentropy 34 Posted May 9 Posted May 9 14 minutes ago, Luke said: Unless they are directly on the server machine then it shouldn't work. I confirmed that's true - I was able to go through the motions from a browser on another system, but it didn't actually shut down. Is there a way to prevent it from working when browsing directly on the server machine? Thanks!
ebr 16430 Posted May 9 Posted May 9 59 minutes ago, maximumentropy said: Is there a way to prevent it from working when browsing directly on the server machine? Hi. What would be the point? If physical access is compromised, they can do whatever they wish. They could shut down the process from task manager or just turn off the machine.
maximumentropy 34 Posted May 9 Posted May 9 10 minutes ago, ebr said: Hi. What would be the point? If physical access is compromised, they can do whatever they wish. They could shut down the process from task manager or just turn off the machine. Layers of security. There are cases where the connection could appear to originate on the local machine although a remote browser was used. Reverse proxy running on the same server comes to mind. More to the point, is there some situation in which the current behavior is desirable?
ebr 16430 Posted May 9 Posted May 9 3 minutes ago, maximumentropy said: is there some situation in which the current behavior is desirable? Someone has locked themselves out of their own Admin account. In this case, we provide a PIN available only on the server machine and allowing some operation when there is physical access to the machine can make getting yourself out of this kind of situation easier/possible.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now