Ubuntu

mediatomb allows anyone to browse and export the whole filesystem

Reported by Florian Hars on 2010-04-25
264
This bug affects 2 people
Affects Status Importance Assigned to Milestone
mediatomb (Debian)
Fix Released
Unknown
mediatomb (Ubuntu)
Undecided
Unassigned

Bug Description

Binary package hint: mediatomb

The web interface allows anyone who can connect to the computer mediatomb is running on to browse the whole filesystem and mark any file for export that is visible to the mediatomb user without any authentication.

Related branches

Florian Hars (hars) on 2010-04-25
visibility: private → public
Jamie Strandboge (jdstrand) wrote :

Florian, I'm not sure how this is a security issue since mediatomb is meant to share files. Enabling the webserver would presumably require additional configuration to lock it down. Does the mediatomb webserver not provide any authentication mechanism or host based access controls? Can you detail the procedures to reproduce this issue?

Changed in mediatomb (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → Incomplete
Jamie Strandboge (jdstrand) wrote :

Actually, I just found this from the MediaTomb documentation at http://mediatomb.cc/pages/documentation#id2856362:

"The server has an integrated filesystem browser, that means that anyone who has access to the UI can browse your filesystem (with user permissions under which the server is running) and also download your data! If you want maximum security - disable the UI completely! Account authentication offers simple protection that might hold back your kids, but it is not secure enough for use in an untrusted environment! Note: since the server is meant to be used in a home LAN environment the UI is enabled by default and accounts are deactivated, thus allowing anyone on your network to connect to the user interface."

I also confirmed the install behavior, which enables the UI by default with no user accounts. This is wrong and should be fixed in the packaging.

Changed in mediatomb (Ubuntu):
assignee: Jamie Strandboge (jdstrand) → nobody
status: Incomplete → Triaged
Changed in mediatomb (Debian):
status: Unknown → New
Changed in mediatomb (Debian):
status: New → Fix Committed
Changed in mediatomb (Debian):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mediatomb - 0.12.1-0ubuntu1

---------------
mediatomb (0.12.1-0ubuntu1) maverick; urgency=low

  * New upstream release (LP: #553269)
    + Drop patches applied upstream:
      - drop debian/patches/service-id_fix.patch
      - drop debian/patches/ffmpegthumbnailer-2.0.patch
      - drop debian/patches/autoreconf_-fi.patch
    + Refresh patch due to upstream changes
      - update debian/patches/const_char_conversion.patch

  * Merge from debian unstable. Remaining changes:
    - debian/control:
      + Don't depend on libmozjs-dev
      + Add OR depends on abrowser
    - debian/rules: Disable js support
    - fix LP: #569763 - mediatomb allows anyone to browse and export the whole
      filesystem

mediatomb (0.12.0~svn2018-6.1) unstable; urgency=low

  * Non-maintainer upload.
  * Disable user interface (Closes: #580120)
 -- Micah Gersten <email address hidden> Wed, 25 Aug 2010 17:07:03 -0500

Changed in mediatomb (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.