Subsonic Forum

forum.subsonic.org
http://forum.subsonic.org/forum/

Security flaw or a feature?

http://forum.subsonic.org/forum/viewtopic.php?f=3&t=9487

Page 1 of 1

Security flaw or a feature?

PostPosted: Tue May 08, 2012 9:10 pm
by thenicnet
I found that you can force a player to play in a browser or a media player by simply putting this in your browser:
http://YOURSERVERHERE.com:4040/stream?p ... uffix=.mp3

This seems like it could be a pretty big flaw, because even if I don't guess the player number correctly, it'll default to another.
Thoughts on this? Is there a way to disable this?

Re: Security flaw or a feature?

PostPosted: Tue May 15, 2012 1:19 pm
by lovebags
Ah yes so it does, interesting find. For me on a Mac 10.7.4 on Safari It loads the song from the start into a non-controllable player in the browser (except for a pause button). It doest give away any more information that what current authnticated users can't find out within the status section but does completely bypass our LDAP authentication which we use (but so do 'shared' links so must be working on a similar level) For an outside user they would need to know this URL plus put in a player number in order to hear a song someone happens to be playing. I guess it could be seen as both a feature and a flaw at the same time?
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/