This repository has been archived by the owner on Sep 8, 2021. It is now read-only.
db.view page accessible by any authenticated user #395
Labels
type: enhancement-closed
What was previously labeled enhancement. For archiving. Will be organized later.
Issue by pjoubert-
Thursday May 11, 2017 at 06:58 GMT
Originally opened as https://github.com/Libresonic/libresonic/issues/394
I found that the db.view page is accessible by any user. Then, a simple query, like "select * from user;" allows to dump user details: that's bad, but worst: #69 shows that passwords are simply encoded.
Access to this resource should be constrained to admins at least.
A workaround is to protect the page with the reverse proxy if using any.
The text was updated successfully, but these errors were encountered: