mediatomb allows anyone to browse and export the whole filesystem
Bug #569763 reported by
Florian Hars
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
mediatomb (Debian) |
Fix Released
|
Unknown
|
|||
mediatomb (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: mediatomb
The web interface allows anyone who can connect to the computer mediatomb is running on to browse the whole filesystem and mark any file for export that is visible to the mediatomb user without any authentication.
Related branches
visibility: | private → public |
Changed in mediatomb (Debian): | |
status: | Unknown → New |
Changed in mediatomb (Debian): | |
status: | New → Fix Committed |
Changed in mediatomb (Debian): | |
status: | Fix Committed → Fix Released |
Changed in mediatomb (Debian): | |
status: | Fix Released → New |
Changed in mediatomb (Debian): | |
status: | New → Fix Released |
To post a comment you must log in.
Florian, I'm not sure how this is a security issue since mediatomb is meant to share files. Enabling the webserver would presumably require additional configuration to lock it down. Does the mediatomb webserver not provide any authentication mechanism or host based access controls? Can you detail the procedures to reproduce this issue?