Can change "root" password with wizard #6486
Comments
|
Digging some more i see that |
|
The wizard shows up on LAN, but not a remote connection |
|
unfortunately as screenshot shows it shows up remotely for me. i can't log in via the login UI since my admin account has remote access disabled but the wizard shows up on remote access also. On Jan 31, 2025, at 12:45 PM, HamletDuFromage ***@***.***> wrote:
The wizard shows up on LAN, but not a remote connection
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: ***@***.***>
|
|
Non admins should not be able to progress on that page. If someone managed to figure out the password for one of your admin accounts on Jellyfin, this method of attack has already become pointless to them. Though that's not to say that this shouldn't be looked into. Also, you can't access the startup wizard without being local. There may be something in your remote setup that makes Jellyfin perceive your connection as being local and not remote. |
|
i am talking about the admin user in this case. i have only had one user at this point which was the primary acct. i'll see if i can reproduce by uninstalling and reinstalling. On Jan 31, 2025, at 1:17 PM, maru801 ***@***.***> wrote:
Non admins should not be able to progress on that page.
I tried it out on a private window, and going to that screen just resulted in endless loading.
If someone managed to figure out the password for one of your admin accounts on Jellyfin, this method of attack has already become pointless to them.
Though that's not to say that this shouldn't be looked into.
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: ***@***.***>
|
|
That screen is not proceed-able when |
|
right. why was it false is my question. i only found out by accident because i went through punching a hole through my NAT and having to sign in non-locally. i didn't manually alter the config xml obviously. the side effect is a significant security issue obviously. the only unusual thing i can recall on this machine is installing and uninstalling via brew, then installing again a month later. On Jan 31, 2025, at 9:39 PM, gnattu ***@***.***> wrote:
That screen is not proceed-able when IsStartupWizardCompleted is true. The problem here is that you have it being false.
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: ***@***.***>
|
|
Even if someone manages to figure out the URL to access your Jellyfin server, this issue is not going to benefit them until they figure out the admin username and password. Without being signed in as an admin, this will not do anything as it just loads forever. In order to possibly exploit this, the random person needs to know your admin name and password, in which case they don't even need to do this. Having access to an admin account, they can just go to the dashboard and change the login details there. |
|
they don't need the password: the wizard lets you set it as if it's a brand new account. and also the wizard is redirected to automatically when hitting /web. they do need to know the username but that's not a tough guess. you don't need to be signed in: as i said the behaviour is reproducible in incognito. On Jan 31, 2025, at 10:12 PM, maru801 ***@***.***> wrote:
Even if someone manages to figure out the URL to access your Jellyfin server, this issue is not going to benefit them until they figure out the admin username and password.
Without being signed in as an admin, this will not do anything as it just loads forever.
In order to possibly exploit this, the random person needs to know your admin name and password, in which case they don't even need to do this. Having access to an admin account, they can just go to the dashboard and change the login details there.
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: ***@***.***>
|
|
That is normal behavior on a brand new server. As gnattu pointed out, this will not be an issue once Something most likely happened outside of Jellyfin that caused your |
|
the worst part is completing the wizard doesn't mark the flag as true on this machine. so i keep getting the wizard ev time i log in w a fresh session O_oOn Feb 1, 2025, at 12:30 AM, maru801 ***@***.***> wrote:
That is normal behavior on a brand new server. As gnattu pointed out, this will not be an issue once IsStartupWizardCompleted is marked as true in the system.xml file.
Something most likely happened outside of Jellyfin that caused your IsStartupWizardCompleted to be marked as false.
Otherwise, this becomes an issue of figuring out a bug that causes that to switch to false, which I have not heard of yet.
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: ***@***.***>
|
That's not normal and it sounds like Jellyfin doesn't have write access to the |
|
You need to provide complete detailed steps to reproduce this from start to finish. Your comments have been a bit all over the place as to what you have done to get in this state so far no one is able to reproduce this. |
Describe The Bug
I can change the primary user's admin password by forcing the wizard web UI
Steps To Reproduce
Expected Behavior
no wizard access, especially with remote connections!
System (please complete the following information):**
I have other non-root users. Remote connections are allowed. Is this a misconfig? Let me know if you need a config or log dump.
The text was updated successfully, but these errors were encountered: