db.view page accessible by any authenticated user #395

issuemover631 · 2017-05-11T06:58:12Z

Issue by pjoubert-
Thursday May 11, 2017 at 06:58 GMT
Originally opened as https://github.com/Libresonic/libresonic/issues/394

I found that the db.view page is accessible by any user. Then, a simple query, like "select * from user;" allows to dump user details: that's bad, but worst: #69 shows that passwords are simply encoded.
Access to this resource should be constrained to admins at least.
A workaround is to protect the page with the reverse proxy if using any.

issuemover631 · 2017-05-11T11:59:30Z

Comment by jooola
Thursday May 11, 2017 at 11:59 GMT

Oh damn!
That's bad...

Here is workaround for haproxy (simple HTTP Auth for the db.view URL ) :

defaults

  option http-server-close

  # HTTP Auth
  userlist $USERLISTNAME
  user $USER insecure-password $PASSWORD

backend libresonic_backend
  # HTTP Auth
  acl $SECUREURLNAME path_beg -i $SECUREURL # Here $SECUREURL should be /db.view
  acl $AUTHOK_SERVICE http_auth($USERLISTNAME)
  http-request auth realm libresonic if !$AUTHOK_SERVICE $SECUREURLNAME

Of course all $VARS have to be changed !

If think a HAproxy pro could do something a bit more secure but i'm not this guys... The above is really basic

issuemover631 closed this as completed May 20, 2017

issuemover631 added type: enhancement-closed What was previously labeled enhancement. For archiving. Will be organized later. issue labels Jul 4, 2017

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

db.view page accessible by any authenticated user #395

db.view page accessible by any authenticated user #395

issuemover631 commented May 11, 2017

issuemover631 commented May 11, 2017

db.view page accessible by any authenticated user #395

db.view page accessible by any authenticated user #395

Comments

issuemover631 commented May 11, 2017

issuemover631 commented May 11, 2017