Plex: Serious Security Bug

[pyrater]

If anyone knows how to fix please let me know, if not be aware.

 

 

Found a serious bug where anyone could delete my entire libary! If you
goto http://MYWANIP:32400/web/ you have full admin control over the
entire library!!! WITHOUT LOGGING IN!!! This is with the "Require
authentication on local networks" option check in the advanced setting
as well.

Please tell me that i have something configured wrong and that this
isnt a huge security issue waiting for someone with a port scanner to
start destroying peoples librarys!

https://forums.plex.tv/index.php/topic/95727-serious-security-bug/

 

using: PlexMediaServer-0.9.8.18.290-11b7fdd-unRAID.txz

as of right now all i have is port redirection done at the router so atleast people cannot mass scan for port 32400 and find my server.

[RFehr]

First off, don't use port forwarding to anything that you deem important - regardless of whether the "important" resource is "password protected" or not.  Instead, establish a VPN to your home network (ssl or IPSec) and manage LAN resources via the VPN.  Much simpler to administer and much more secure.

 

Port forwarding without deep knowledge of the target and ongoing diligence is just a bad idea.

 

 

 

 

[pyrater]

agreed kind of makes plex remote features aka sharing worthless though.

 

Fixed it, leaving the post here incase anyone else has this issue. Unless a mod wants me to delete it.

 

looked into Preferences.xml there is a option called disableRemoteSecurity="1"  changed it to a 0 rebooted plex and BOOM Login screen!