Subsonic Forum

[shavenne]

Hello everybody,

I'm wondering when I open a m3u-playlist (which I got from subsonic) in an editor and copy the URL 'http://$url:$port/stream?player=3&id=8283&suffix=.mp3' and give this URL any person, why can he open and listen to it?? Without any password, login, and something else. Sure there's no password or something in the URL, but I expected at least an IP check or something like that?
So if someone does a portscan and finds the subsonic port he can simply download my whole music library by incrementing the id-number??? Is that true?

Greetings from Germany
shavenne

[BKKKPewsey]

So if someone does a portscan and finds the subsonic port he can simply download my whole music library by incrementing the id-number??? Is that true?

Don't know why don't you try and report back

[hakko]

This has been known for a long while (but security doesn't really seem to be on top of Sindre's TODO list, see viewtopic.php?f=3&t=5996)

In previous versions (up to 4.6), the id number was more random, so it was harder to guess for an intruder (security by obscurity). The new way of sequential ids makes this even worse. It's a good point.

[BKKKPewsey]

I don't know if this different depending on OS but my 4.6 playlists do not have a ID number so this appears to a new feature with 4.7.
My 4.6 playlists either just have a player number (so will access only that player's playlist) or the hex encoded ascii filepath (external with playlist)
However as in my previous post, by just incrementing that ID number, will that go through your whole library , no idea!

But I would like to make a personal comment before we embark on yet another long security thread.

This is a music server - not designed for storing state secrets - if anyone is not comfortable with the (IMHO) small "security" issues then I would suggest not putting their media on the internet.
As soon as you "share" information then you are at risk especially if you use viral networking.
Share a link on Google or facebook and stand-back. You will discover may new friends you never knew you had.
Whilst discussions regarding security issues, I am sure are welcomed by Sindre, as are any other helpful suggestions to improve SS,
try to remember that this is a simple (basically free) music server/streamer and not a Paypal or Amazon account server

[hakko]

It's not different depending on OS. 4.6 used to pass around a parameter that was the whole file name path, hex encoded. 4.7 passes around internal database id, which happen to be handed out sequentially. If you delete files from your library, that'll leave gaps in the range etc.

Even if this is not a Paypal server, it wouldn't surprise me if a couple of your users use the same password for their Subsonic account and their Paypal account, for example. Subsonic claims to be secure (http://www.subsonic.org/pages/features.jsp#secure ), so then I think issues like these should be taken more seriously.

[BKKKPewsey]

Even if this is not a Paypal server, it wouldn't surprise me if a couple of your users use the same password for their Subsonic account and their Paypal account, for example.

Most unlikely as I set the passwords/usernames for all my users and disable access to the settings menu
That is to prevent them from turning off "Let others see what I am playing" as that is the only way I can see who's logged in.
But that's another issue