I don't know who needs to hear this, but DO NOT EVER expose Jellyfin to the internet

Scary le Poo@beehaw.org · 3 days ago

I don't know who needs to hear this, but DO NOT EVER expose Jellyfin to the internet

i_am_not_a_robot@discuss.tchncs.de · 3 days ago

If the ID is the MD5 of the path, rainbow tables are completely useless. You don’t have the hash. You need to derive the hash by guessing the path to an existing file, for each file.

Clent@lemmy.dbzer0.com · 3 days ago

How unique do you suppose file system paths are?

How many hashes would one need to gather to quickly determine the root path for all files? Paths are not random so guessing the path is just a rainbow table.

The scanning for known releases becomes trivial once the file system pattern is known.

i_am_not_a_robot@discuss.tchncs.de · 2 days ago

If the server is using a standard path prefix and a standard file layout and is using standard file names it isn’t that difficult to find the location of a media file and then from there it would be easier to find bore files, assuming the paths are consistent.

But even for low entropy strings, long strings are difficult to brute force, and rainbow tables are useless for this use case.

I don't know who needs to hear this, but DO NOT EVER expose Jellyfin to the internet

I don't know who needs to hear this, but DO NOT EVER expose Jellyfin to the internet

Collection of potential security issues in Jellyfin · Issue #5415 · jellyfin/jellyfin