@KarlDag said:
How do I make sure this doesn’t happen to me? Chexk the setting to let secure connections only?
Check the setting in the advanced server configuration
https://support.plex.tv/hc/en-us/articles/201105343-Advanced-Hidden-Server-Settings
If you have a preference in there named
disableRemoteSecurity="1"
then the need for authentication has been disabled globally on your server.
i.e. it is wide open
If the preference is not there
or it has a value of 0 then you are not affected and all is well.
@OttoKerner said:
Check the setting in the advanced server configuration
https://support.plex.tv/hc/en-us/articles/201105343-Advanced-Hidden-Server-Settings
If you have a preference in there named
disableRemoteSecurity="1"
then the need for authentication has been disabled globally on your server.
i.e. it is wide open
If the preference is not there
or it has a value of 0 then you are not affected and all is well.
If you are running Plex Server under Windows, and you have the correct setting for secure connections in the Plex Server settings, will this be the same as what is listed in the registry, or does the registry key somehow override the setting you see in the server settings?
@kegobeer-plex said:
If you are running Plex Server under Windows, and you have the correct setting for secure connections in the Plex Server settings, will this be the same as what is listed in the registry, or does the registry key somehow override the setting you see in the server settings?
The “secure connections” preference has nothing to do with the particular issue discussed in here.
All server settings are saved in the registry. Just take a look, you might recognise some of them by their “key” name.
@KarlDag said:
Just so I’m clear, this only affects people using this docker 3rd party version, right?
This container was one of a few culprits we know about. It was not alone in this behavior. Check the aforementioned disableRemoteSecurity preference. It should be not present or 0, otherwise your security is disabled.
@kegobeer-plex
I have always had it under linux
@dasaint said:
@kegobeer-plex
I have always had it under linux
I suspect this was a much larger problem for Linux distros than the Windows releases. I never read any posts about remote security changes suddenly appearing in the registry.
My guess is this is largely related to 3rd party containers/repos on linux, which there’s no need for on Windows. For once, running full-fat ubuntu instead of completely headless seems to be a good thing, as I can just grab the package off the site in firefox and not fool with 3rd party apt repos
@kinoCharlino @gbooker02 - do we have a fix for these yet? i mean short of emailing the people with these servers is there no way to protect them?
One of the ones listed has several photo albums of family pictures, work events and such which in some countries could land the user in a heap of trouble!
The fix was in place before this thread was even started and you’ll see it in an upcoming release.
@gbooker02 - do you mind if i ask what was done to resolve this?
@teshiburu said:
@KarlDag said:
@dasaint you should probably take off that screenshot, I’ve just tested one of the addresses for the heck of it and it’s still accessible… it would be wise not to share it here on top of the private group.
EDIT the server contains private videos, wouldn’t want those shared to the world.
Believe it or not - ive messaged each of the people on that list, and the ones with the private videos didnt even reply! I was tempted to help their privacy a bit by removing the library, but i think thats one step too far on my part!
LOL!!! You could of done so much more. You are a very kind person.
@gbooker02
Doesn’t look like a patch is in place! Sadly more and more posted today!
[moderator edit: screenshot removed]
@teshiburu said:
Doesn’t look like a patch is in place! Sadly more and more posted today!
A patch requires people to actually update their server software…
@OttoKerner Are you saying a patch is in place? if so what version was it implemented in?
@dasaint said:
@OttoKerner Are you saying a patch is in place? if so what version was it implemented in?
The configuration key disableRemoteSecurity was made ineffective in PMS > 1.8.0 I think.
1.7.4 and up have the hidden pref (disableRemoteSecurity) removed which is largely responsible for this whole issue.
