mediatomb allows anyone to browse and export the whole filesystem

Bug #569763 reported by Florian Hars
This bug affects 2 people
Affects Status Importance Assigned to Milestone
mediatomb (Debian)
Fix Released
mediatomb (Ubuntu)

Bug Description

Binary package hint: mediatomb

The web interface allows anyone who can connect to the computer mediatomb is running on to browse the whole filesystem and mark any file for export that is visible to the mediatomb user without any authentication.

Related branches

Florian Hars (hars)
visibility: private → public
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Florian, I'm not sure how this is a security issue since mediatomb is meant to share files. Enabling the webserver would presumably require additional configuration to lock it down. Does the mediatomb webserver not provide any authentication mechanism or host based access controls? Can you detail the procedures to reproduce this issue?

Changed in mediatomb (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → Incomplete
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Actually, I just found this from the MediaTomb documentation at

"The server has an integrated filesystem browser, that means that anyone who has access to the UI can browse your filesystem (with user permissions under which the server is running) and also download your data! If you want maximum security - disable the UI completely! Account authentication offers simple protection that might hold back your kids, but it is not secure enough for use in an untrusted environment! Note: since the server is meant to be used in a home LAN environment the UI is enabled by default and accounts are deactivated, thus allowing anyone on your network to connect to the user interface."

I also confirmed the install behavior, which enables the UI by default with no user accounts. This is wrong and should be fixed in the packaging.

Changed in mediatomb (Ubuntu):
assignee: Jamie Strandboge (jdstrand) → nobody
status: Incomplete → Triaged
Changed in mediatomb (Debian):
status: Unknown → New
Changed in mediatomb (Debian):
status: New → Fix Committed
Changed in mediatomb (Debian):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mediatomb - 0.12.1-0ubuntu1

mediatomb (0.12.1-0ubuntu1) maverick; urgency=low

  * New upstream release (LP: #553269)
    + Drop patches applied upstream:
      - drop debian/patches/service-id_fix.patch
      - drop debian/patches/ffmpegthumbnailer-2.0.patch
      - drop debian/patches/autoreconf_-fi.patch
    + Refresh patch due to upstream changes
      - update debian/patches/const_char_conversion.patch

  * Merge from debian unstable. Remaining changes:
    - debian/control:
      + Don't depend on libmozjs-dev
      + Add OR depends on abrowser
    - debian/rules: Disable js support
    - fix LP: #569763 - mediatomb allows anyone to browse and export the whole

mediatomb (0.12.0~svn2018-6.1) unstable; urgency=low

  * Non-maintainer upload.
  * Disable user interface (Closes: #580120)
 -- Micah Gersten <email address hidden> Wed, 25 Aug 2010 17:07:03 -0500

Changed in mediatomb (Ubuntu):
status: Triaged → Fix Released
Changed in mediatomb (Debian):
status: Fix Released → New
Changed in mediatomb (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.