Admin Authentication Bypass (via plex account) when password requirement not set #801
Assignees
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Plex Requests.Net Version:
1.10.1
update Branch:
Stable
Operating System:
Windows 10
Mono Version:
N/A
Applicable Logs (from
/logs/directory or the Admin page):We are authenticated! Setting session. PlexRequests.UI.Modules.UserLoginModule Debug 12/18/2016 2:00:46 AM
Friends list result = True PlexRequests.UI.Modules.UserLoginModule Debug 12/18/2016 2:00:46 AM
User is the account owner PlexRequests.UI.Modules.UserLoginModule Debug 12/18/2016 2:00:46 AM
Need to auth PlexRequests.UI.Modules.UserLoginModule Debug 12/18/2016 2:00:44 AM
Username "*********" attempting to login PlexRequests.UI.Modules.UserLoginModule Debug 12/18/2016 2:00:44 AM
Reproduction Steps:
Step 0: Have server setup with an admin user registered, and add your plex info ect (note the admin user i registered with the PlexRequest.net server was different from my plex username)
Step 1: check off "Enable User Authentication" under settings > Authentication
Step 2: Uncheck "Require users to login with their passwords"
Step 3: Guess/Know the admin user's plex name, (not hard to do if your useing their plex server)
Step 4: Enter the Admin's Plex Username, and gain access to the admin account
Basicly what seems to be happening is you end up with 2 admin accounts, 1 that you registered, and 1 that you have from adding your plex server. The problem is that allowing the "easy auth" method for users only using there username also allows for the "admin" plex account to login without a password and gains full admin controls over plexrequest.net
The text was updated successfully, but these errors were encountered: