Plex Web Server - Security &/OR Privacy Concern in PlexWeb 'Root' (MediaContainer/XML)

allanlive · October 10, 2022, 4:50am

Server Version#: 1.29.0.6244 (Local ip scope/subnet ‘No Login’ Auth in Plex settings)
Player Version#: PlexWeb 4.87.2

Windows Server 2016 (Up to date).
Google Chrome (as Network Client)

Not sure if this is a Security/Privacy flaw or perhaps a feature.

When contacting my Plex Media Server’s root using it’s http://IP:Port (ie. http://192.168.0.25:32400) WITHOUT adding either trailing /manage/ or /web/ to the address from any machine on the local network using Google Chrome (only browser I tried), I am greeted with an XML output that within “MediaContainer” open/close tags, contains my email/login id, Plex Subscription account status, OwnerFeatures, Machine ID/Server Name and other Setup specific settings (encoder, login etc) along with a bunch of other info about my account/platform/etc.

Top of the page reads:
“This XML file does not appear to have any style information associated with it. The document tree is shown below.”

Is there any way to simply add a BLANK index.html file into the root of Plex’s Web Server/Service so that this info is not accessible to anyone on my network that attempts to contact the server, but fails to use the complete address ?

After searching the web, I found this is quite an old problem and I am surprised that it hasn’t been addressed yet.

If told where the ACTUAL PlexWeb Root is, I would happily add a blank index.html file there myself, or even a redirect to the full address. Where is the “http://ip:32400/” Root ?
thanks in advance.

OttoKerner · October 10, 2022, 10:52am

These informations are only given out to hosts in the local network.
Is the local network not your own?

For any random host on your network it is very unlikely to call your server’s IP plus the port number 32400 by accident in a web browser.

For legitimate users to whom you have granted access to your Plex server, there is no need to call the local IP of your server either. They can simply use the hosted web app.

SwiftPanda16 · October 10, 2022, 2:13pm

The API root is only shown when authentication is disabled (List of IP addresses allowed without authentication). Since authentication is disabled, a token is not required to access the API.

The API root automatically redirects to the web app when authentication is enabled and a token is not provided in the API request.

allanlive · October 11, 2022, 5:30am

This helps.
Yes, Authentication is disabled for my personal machines, but all other Users on the local Network use the proper address and require standard authentication (Mobile/TVs etc) to access Plex.

I just wasn’t sure if this could be seen by anyone else, as I plan to share my Server with a few remote family members once my Gig Fiber is installed.

Thanks to those that replied.
This community has always been great and is an added bonus for Plex.

Topic		Replies	Views
Anyone can login to my Plex server on port 32400? Remote Access server-linux	16	276	March 29, 2022
How to disable web interface on :32400/web for remote machines? Plex Media Server plex-web	8	528	February 16, 2021
Plex is vulnerable using port forward for remote access Remote Access server-linux , server-docker	7	743	August 30, 2019
Internal IP address exposed when viewing Plex remotely via custom domain name General Discussions	5	100	January 7, 2020
Anonymous users are able to load Plex Web App from my server - what gives? Remote Access server-linux	6	820	October 1, 2019

Plex Web Server - Security &/OR Privacy Concern in PlexWeb 'Root' (MediaContainer/XML)

Related topics