Hey all,
I just wanted to warn you of a potential security issue with Subsonic.
I have figured out that anything in your music folders are as good as publicly available.
While I haven't been able to access anything outside of these directories, I have been able to download files that are not in the subsonic database that do indeed exist in these directories.
All you need to do is have a valid session cookie in your browser (i.e. log in...at least that is the only way I tested it) and then point your browser at:
http://<yourserver:port>/subsonic/stream?path=<path to the file you want to download>
Edit (04-01-2009): I have found that a valid session does not need to exist. This means that you can access this without being authenticated, which is how the music players do it.
I would encourage Sindre to fix this to only allow access to files that are available in the index and are actually music files (there are a number of utilities that can determine file-types...the Unix "file" command comes to mind). There are probably other secure alternatives too...
I am going to continue poking around and see what else I can come up with...
In the mean time...please make sure that you do NOT store anything confidential or that you don't want the world to have access to in any of the directories used by subsonic.
Security issue
Moderator: moderators
5 posts
• Page 1 of 1
Security issue
by psych0munky » Fri Dec 19, 2008 10:37 pm
Last edited by psych0munky on Mon Jan 05, 2009 5:18 am, edited 1 time in total.
- psych0munky
- Posts: 8
- Joined: Fri Oct 31, 2008 5:37 pm
by kdid » Mon Dec 22, 2008 9:30 am
Do you say that you can get a directory listing of the folders containing the files?
Or is the complete path and name to each file you want to access need to be known?
I can see that there could be a risk, but the chance of guessing the path and filename is pretty slim.
Or is the complete path and name to each file you want to access need to be known?
I can see that there could be a risk, but the chance of guessing the path and filename is pretty slim.
-- kdid
- kdid
- Posts: 131
- Joined: Tue Jan 02, 2007 11:17 am
by mistaox » Mon Dec 22, 2008 7:26 pm
unless a hacker can get a full dir list, this ins not that big of a deal.
And if you are mixing in confidential data with your music and videos on a public facing server, then you deserve to have something taken...just my opinion.
And if you are mixing in confidential data with your music and videos on a public facing server, then you deserve to have something taken...just my opinion.
- mistaox
- Posts: 54
- Joined: Sat Dec 09, 2006 7:36 am
by psych0munky » Mon Dec 29, 2008 11:19 pm
I agree, that what I have found thus far is not that big of a deal, however, being of a somewhat paranoid nature, I am wondering what further exploits can be derived from this, such as remote code execution.
@kdid: At the moment, I have not been able to get a directory listing, but I have not tested wild cards like * and ? to see what would happen (I have tested things like ../../, though very quickly). If these types of things work, then there is no need for a directory listing. The attacker could simply stream the contents to a file on his local machine and use a tool to split the files apart later.
@mistaox: While I do agree that mixing confidential data and music together to be served out is something that is beyond common sense...I am wondering how many of SUBSONIC's users are in that class of "knowing enough to be dangerous". I personally know enough people that would be able to get subsonic up and running, but lack the insight into the nature of web-applications to have the common sense to ensure their confidential data is out of the way.
@tfruitz: I agree that this could be interpreted as a minor security breech. However, there is always a balance to be had. I think the status web-page with this info and the log, etc, should be shown only to admin users, and not everyone.
- Munky
@kdid: At the moment, I have not been able to get a directory listing, but I have not tested wild cards like * and ? to see what would happen (I have tested things like ../../, though very quickly). If these types of things work, then there is no need for a directory listing. The attacker could simply stream the contents to a file on his local machine and use a tool to split the files apart later.
@mistaox: While I do agree that mixing confidential data and music together to be served out is something that is beyond common sense...I am wondering how many of SUBSONIC's users are in that class of "knowing enough to be dangerous". I personally know enough people that would be able to get subsonic up and running, but lack the insight into the nature of web-applications to have the common sense to ensure their confidential data is out of the way.
@tfruitz: I agree that this could be interpreted as a minor security breech. However, there is always a balance to be had. I think the status web-page with this info and the log, etc, should be shown only to admin users, and not everyone.
- Munky
- psych0munky
- Posts: 8
- Joined: Fri Oct 31, 2008 5:37 pm
5 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 9 guests