

" username="" mappingState="mapped" mappingError="" mappingErrorMessage="1" signInState="ok" publicAddress="1" publicPort="9415" privateAddress="1" privatePort="32400" subscriptionFeatures="cloudsync,pass,sync" subscriptionActive="1" subscriptionState="Active">Ī video demonstrating this issue has been released by SEC Consult: Of course other administrative actions can be performed as well. The response for this request is passed to the attacker and includes theĪuthToken value ("master token"), which can be used to impersonate legitimate GET /myplex/account?IRRELEVANT=, HTTP/1.1 This results in the following request (made by Plex Media Server): Requested is controlled by the first X-Plex-Url value.īy indicating a parameter (called IRRELEVANT) the second X-Plex-Url value is The actual request handler in the backend webserver (Python). The whitelist (Regex) and passes validation. The last X-Plex-Url header value "" is contained in The following GET request bypasses the webserver whitelist. None of them were accessed) are affected by both vulnerabilities as well. Plex "Remote" servers (thousands of them can be found via Shodan and Google, Files that include passwords and other sensitive information can The Plex Media Server execute arbitrary HTTP requests.īy requesting content from 127.0.0.1 an attacker can bypass all authenticationĪnd execute commands with administrative privileges.īecause of insufficient input validation, arbitrary local files can beĭisclosed. This allows unauthenticated attackers to make

The Plex Media Server "/system/proxy" functionality fails to properly validate Authentication bypass / Server Side Request Forgery (SSRF) "Plex is a media player system consisting of a player application with aġ0-foot user interface and an associated media server. Title: Authentication bypass (SSRF) and local file disclosure SEC Consult Vulnerability Lab Security Advisory
