Server Version#: 1.20.4.3517
I found a huge security flaw in QNAP Plex server. I start searching for fix and found this topic: https://forum.qnap.com/viewtopic.php?t=140047. First post in Mar 2018, and no fixes since then? I truly believe you should take away Plex server from downloads until this will be fixed on QNAP side. As you can read, Synology already fixed, QNAP not. If you want to provide Plex to QNAP users you must provide instructions how to create VM and run Plex inside VM.
As others pointed out in the thread in the QNAP forum⊠thatâs not specific to Plex but how QNAP runs their apps. I wonât advocate or justify their design decision/approach â but⊠why should Plex punish their users for QNAPâs failure to respond? Have you considered opening a case with QNAP (not just posting in their forum)?
Plex punish their users by creating a huge security flaw in their NASes. If Plex canât make run the app securely (despite of where is the root of the problemâat Plex or at QNAP), they should not allow run the app at all. Itâs obvious and a common sense. As you can read in that thread, there were already opened case with QNAP and they ignored it. So, only the public discussion can solve the situation.
You are complaining to the wrong people.
The QNAP QDK (QNAPâs SDK) runs apps as root.
QTS provides the security to shared folders through its API.
If you have a problem with it, please take it up with them or donât use QNAP products.
If your NAS isnât physically secure or you donât trust the people in your home, you have bigger issues to resolve.
I am glad you are aware of this issue and agreed it exists. But your rhetoric is counter-productive, you donât want to admit the obvious. Should I consider this âwonât fixâ as the official position of your company?
You can infer no such statement or position by Plex.
I will not engage in this non-productive discussion further as, by your own statement,
As the QNAP NAS administrator:
a. You are empowered to look at anything on the system.
b. You are also the only user who can install PMS (App Center requirement)
You are not seeing a security hole. You are viewing other usersâ files using the authority granted you by QTS - which is BY DESIGN because you signed in with the credentials granting you that access level.
When PMS is configured, users have NO access to the host OS / file system its installed on. They may only play or sync the media to which they have been granted access by the PMS account holder.
Have a nice day.
This is not on Plex.
This statement is unfair, untrue and very aggressive.
If you feel this strongly about it, stop using Plex on QNAP. In fact, stop using QNAP.
Regardless, it is wrong to blame Plex for something that QNAP allows. It is also not fair to expect Plex to spin-off and maintain a special version to handle this given that Plex is for individuals, friends and families (not corporations).
Closing this thread, since itâs a road to nowhere, and @ChuckPa already said that this is not related to Plex
