Anybody can access /stream

Post your Server Bug Report
omnikron
Posts: 1
Joined: 18 May 2014, 16:36
Has thanked: 0
Been thanked: 0

Anybody can access /stream

Unread post by omnikron »

(topic moved from wrong forum)

Hi,

Sorry if I'm not in the proper forum.

I believe there might be a security issue with acces to the /stream URI. On my setup (madsonic 5.0-3830) you can access it from anywhere without any authentication. Players like Jamstash uses /rest/stream.view, which looks correctly protected. The workaround I use for now is to comment out the servlet-mapping section for /stream in %madsonic-home%/jetty/3880/webapp/WEB-INF/web.xml, but that breaks the internal Web player because it does not seam to be using the REST API.

Can you confirm if whether or not there is a security issue here.

Many thanks.
Post Reply