Ubuntu
mediatomb package

mediatomb allows anyone to browse and export the whole filesystem

Bug #569763 reported by Florian Hars
264
This bug affects 2 people
Affects Status Importance Assigned to Milestone
mediatomb (Debian)
Fix Released
Unknown
mediatomb (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: mediatomb

The web interface allows anyone who can connect to the computer mediatomb is running on to browse the whole filesystem and mark any file for export that is visible to the mediatomb user without any authentication.

Related branches

lp:ubuntu/maverick/mediatomb
Florian Hars (hars)
visibility: private → public
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Florian, I'm not sure how this is a security issue since mediatomb is meant to share files. Enabling the webserver would presumably require additional configuration to lock it down. Does the mediatomb webserver not provide any authentication mechanism or host based access controls? Can you detail the procedures to reproduce this issue?

Changed in mediatomb (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → Incomplete
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Actually, I just found this from the MediaTomb documentation at http://mediatomb.cc/pages/documentation#id2856362:

"The server has an integrated filesystem browser, that means that anyone who has access to the UI can browse your filesystem (with user permissions under which the server is running) and also download your data! If you want maximum security - disable the UI completely! Account authentication offers simple protection that might hold back your kids, but it is not secure enough for use in an untrusted environment! Note: since the server is meant to be used in a home LAN environment the UI is enabled by default and accounts are deactivated, thus allowing anyone on your network to connect to the user interface."

I also confirmed the install behavior, which enables the UI by default with no user accounts. This is wrong and should be fixed in the packaging.

Changed in mediatomb (Ubuntu):
assignee: Jamie Strandboge (jdstrand) → nobody
status: Incomplete → Triaged
Bug Watch Updater (bug-watch-updater)
Changed in mediatomb (Debian):
status: Unknown → New
Bug Watch Updater (bug-watch-updater)
Changed in mediatomb (Debian):
status: New → Fix Committed
Bug Watch Updater (bug-watch-updater)
Changed in mediatomb (Debian):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mediatomb - 0.12.1-0ubuntu1

---------------
mediatomb (0.12.1-0ubuntu1) maverick; urgency=low

  * New upstream release (LP: #553269)
    + Drop patches applied upstream:
      - drop debian/patches/service-id_fix.patch
      - drop debian/patches/ffmpegthumbnailer-2.0.patch
      - drop debian/patches/autoreconf_-fi.patch
    + Refresh patch due to upstream changes
      - update debian/patches/const_char_conversion.patch

  * Merge from debian unstable. Remaining changes:
    - debian/control:
      + Don't depend on libmozjs-dev
      + Add OR depends on abrowser
    - debian/rules: Disable js support
    - fix LP: #569763 - mediatomb allows anyone to browse and export the whole
      filesystem

mediatomb (0.12.0~svn2018-6.1) unstable; urgency=low

  * Non-maintainer upload.
  * Disable user interface (Closes: #580120)
 -- Micah Gersten <email address hidden> Wed, 25 Aug 2010 17:07:03 -0500

Changed in mediatomb (Ubuntu):
status: Triaged → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in mediatomb (Debian):
status: Fix Released → New
Bug Watch Updater (bug-watch-updater)
Changed in mediatomb (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.