If you have not already, we suggest setting your Plex username to something else rather than email which is displayed on your posts in forum. You can change the username at https://app.plex.tv/desktop#!/account
Welcome to our forums! Please take a few moments to read through our Community Guidelines (also conveniently linked in the header at the top of each page). There, you'll find guidelines on conduct, tips on getting the help you may be searching for, and more!

OpenPHT v1.8.0 / FFmpeg v2.8.11 / AVI GAB2 Struct Vulnerability

bornlibra23bornlibra23 Posts: 83Members ✭✭
edited August 9 in OpenPHT

FFmpeg v2.8.11 used in OpenPHT v1.8.0. How can we upgrade this? There is a GAB2 AVI vulnerability in this ffmpeg version. The attached file can be used to generate attack files. "python gen_avi.py /etc/passwd HackAVI.avi.mp4". The resulting files need to be uploaded for transcoding & contents of the target file can be seen on the screen in the video.

Answers

  • bornlibra23bornlibra23 Posts: 83Members ✭✭

    Bump Bump?

  • bornlibra23bornlibra23 Posts: 83Members ✭✭

    Bump Bump?

  • KwibooKwiboo Posts: 196Members, Plex Pass Plex Pass

    My understanding of this vulnerability is that it only affect encoding and not decoding, OpenPHT is using ffmpeg for decoding and should not be affected.

    How have you been able to replicate this vulnerability?
    Do you see the file content from your PMS that is doing transcoding or a file from your client where OpenPHT is running?

  • bornlibra23bornlibra23 Posts: 83Members ✭✭

    Yes thats true. Currently I dont have the OpenPHT running on Raspberry Pi. I intended to get it running but stopped given this vulnerability just to get a confirmation. Do you mean to imply that there is absolutely no case where OpenPHT will encode? I know Plex is a server side system. Bye the way do you have an idea about PMS?
    I am going to install & test now.
    Thanks for your words.

Sign In or Register to comment.