Subsonic Forum

forum.subsonic.org
http://forum.subsonic.org/forum/

getCoverArt.view unfiltered parameters can lead to DOS

http://forum.subsonic.org/forum/viewtopic.php?f=3&t=8767

Page 1 of 1

getCoverArt.view unfiltered parameters can lead to DOS

PostPosted: Mon Jan 16, 2012 1:08 am
by zapt0
You can call the getCoverArt view and specify an arbitrarily large size parameter, which will generate a large image and tie up server resourced for up to a minute. The only upper limit seems to occur when the album art thread crashes from the excess memory usage.

Example call:
/rest/getCoverArt.view?v=1.6.0&c=subweb&f=json&size=9001&id=<album art id>

Re: getCoverArt.view unfiltered parameters can lead to DOS

PostPosted: Mon Jan 16, 2012 8:10 am
by ytechie
You do realize though that you need to add the username and password to the url?

Re: getCoverArt.view unfiltered parameters can lead to DOS

PostPosted: Mon Jan 16, 2012 3:23 pm
by zapt0
ytechie wrote:You do realize though that you need to add the username and password to the url?

Absolutely, this only works if you already have access to an account on the server, but considering some servers are public it's still a problem.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/