Subsonic Forum

[keckskoenig]

Currently it is possible to access Files on server without beeing logged in, simply by "guessing".
Lets say you have a server instance running on foobar.subsonic.org
you may just open http://foobar.subsonic.org/stream?playe ... uffix=.mp3
where XX is a guessed number between 1 and lets say 20 (if no player with id XX is found you will recive an error message)
and YYYY is the file id (a number between 1 and lets say 9000"

It may take a while for finding a suitable player (correct match vor XX)
and also a file with database id YYYY.

I did try this on a few servers I found "guessing" premium subdomains from subsonic.org
like if.subsonic.org mine.subsonic.org and so on.

Conclusion:
Currently everyone could access files stored on subsonic server just by guessing/bruteforcing a low range of numbers.
! NO LOGIN IS REQURED !

A fix for this should be fairly easy like including a (valid session id/nonce) for accessing files.

as a rude example try to open http://mine.subsonic.org/stream?player= ... uffix=.mp3 in vlc and enjoy someones The Beauty and the Beast WaltDisney movie...

[gurutech]

I'd be more worried about people being able to UPLOAD files without an ID/password....

[daneren2005]

Oh now this is a fun game. Or not having the only way to use the REST API to be sending unencrypted plaintext passwords over the internet

[keckskoenig]

I'd be more worried about people being able to UPLOAD files without an ID/password....

Hm If you do transcoding serverside one is able to lockup the whole machine by requesting transcoding files multiple times.

[daneren2005]

It seems like most of these problems would be easily solved. The common theme is that the methods that are used for the internal web view need to require an existing session to work. Whether they do this by appending a session id to the url, or by just checking if the session is a valid one on a request doesn't matter.