Collection of potential security issues in Jellyfin This is a non exhaustive list of potential security issues found in Jellyfin. Some of these might cause controversy. Some of these are design fla…

  • i_am_not_a_robot@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 day ago

    It’s not that challenging if you are looking for specific media files, but if you wanted to enumerate the files on a server it’s basically impossible.

    • Saik0@lemmy.saik0.com
      link
      fedilink
      English
      arrow-up
      2
      ·
      21 hours ago

      but if you wanted to enumerate the files on a server it’s basically impossible.

      Well lets say your a big movie studio… In the past 10 years you’ve released 40-50 movies. You pay some lawfirm to go out and find illegal copies of your movies.

      Those 40-50 movies * 1000 or 10000 common paths/names makes you a nice table of likely candidates. Prehash that table in MD5. It doesn’t take all that much effort to “enumerate” all the movies that your studio cares about. 50000 http requests is childs play and you can scan a public server within minutes for your list.

      Fully bruteforcing the thing… yeah that’s ridiculous. But I don’t think that people are naming bigbucksbunny.mkv as Rp23GXTHp4GN7P6j86HjRdxtfSKKAArj.mkv. So it’s not like we’re looking for “random” or “all” files anyway.

      I don’t think anyone was ever saying that the risk here is full enumeration. Though it is technically possible with sufficient time… just will take a lot of time.

        • Saik0@lemmy.saik0.com
          link
          fedilink
          English
          arrow-up
          1
          ·
          11 hours ago

          Having it publicly accessible on a web server is distribution. And that normally IS a crime unless you have some licenses to do so.