Streaming your own media shouldn’t come with a subscription. Here’s why Plex users are frustrated — and why Jellyfin might be a better bet.
    • ShortN0te@lemmy.mlEnglish
      4·
      2 days ago

      Have you even read the issues and understood them?

      Yes, those should be fixed, but unless you are worried about someone hijacking a video stream when you use a generic media path, there is not that much to worry about.

      • maxprime@lemmy.mlEnglish
        11·
        1 day ago

        All (raw) image endpoints in ImageByNameController, ImageController & RemoteImageController are unauthenticated

        • This allows probing on whether a specific image exists on the server by guessing item id’s (which can be done without too much trouble, as item ids are based on filepath and filename information) and then checking on what content (movies, series etc) exist on a given server, without having an account.
        • ShortN0te@lemmy.mlEnglish
          1·
          21 hours ago

          As I said, when you know the exact path of a media item on the server then you can check if the item exists.

          If you choose a none standard filepath its not an issue.

          Should that be fixed yes.

          Whats the scenario? A law firm could brute force check all media items on open jellyfin servers? Highly illegal to exploit something like this in a lot of jurisdiction. And would also not proof the existence of the media on the server, just a file named like it.

          Mitigation? Just add another random letter in the docker-compose mount path.

    • sanpo@sopuli.xyzEnglish
      31·
      2 days ago

      You shouldn’t be exposing any self-hosted service to the public Internet, unless you’re willing to also monitor for potential breaches.

    • Nawor3565@lemmy.blahaj.zoneEnglish
      13·
      2 days ago

      You should really not be exposing jellyfin OR plex to the open Internet. It’s just asking for trouble.