Comment on Moving from Cloudflare tunnels for media streaming, first plan didn't work out due to double NAT
Max_P@lemmy.max-p.me 1 week agoI keep hearing claims that it’s not secure enough to be exposed on the Internet, but I can’t seem to find anything about unauthenticated vulnerabilities. It’s got a fair amount of CVEs but they all seem to affect when you’re an already authenticated user, mainly to XSS an admin as a regular user or the likes.
It’s written in C#, and publicly all you can do is pretty much attempt to log in, this feels like it should be pretty sane compared to some other PHP crap I run.
Do you have any examples of previous exploits or anything else to be concerned about?
SirMaple__@lemmy.ca 1 week ago
Strit@lemmy.linuxuserspace.show 1 week ago
Most of the relevant issues they link to has been closed and/or dealt with.
ChapulinColorado@lemmy.world 6 days ago
You don’t have to take my word on this, but when you have so many vulnerabilities, the foundation and knowledge about security practices by the developers is missing some key ingredients.
I use Jellyfin. I like jellyfin. I would like people to use jellyfin, but do it responsibly.
Citing backwards compatibility is not an acceptable answer either. If individual endpoints and/or protocols (web sockets) are being addressed as separate issues, then there is no overall filter for the most basic thing as checking if the user is authenticated, you know a potential attacker will look for more.
Will they target jellyfin instead of your average government website with a low budget and similar issues? Unlikely, but possible if the level of effort is low and can potentially create a large botnet, maybe?
You handle these with overall filters (or whatever they are called on c#) and white lists if something truly needs not to have it instead of reacting when someone reports it.
The simple fact that some of the code was sending api keys as GET parameters (which get logged cross every access log in the middleware on its way to the target server) and it didn’t raise any flags seems sufficient enough to suggest DO NOT expose jellyfin directly to the internet.
Max_P@lemmy.max-p.me 4 days ago
Yeah, that’s enough to not have it exposed directly. I understand why they did it that way but very good to know, thanks!