this post was submitted on 02 Apr 2025
230 points (100.0% liked)

Technology

38484 readers
494 users here now

A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.

Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.

Subcommunities on Beehaw:

This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 3 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
230
I don't know who needs to hear this, but DO NOT EVER expose Jellyfin to the internet (github.com)
submitted 1 week ago by [email protected] to c/[email protected]
172 comments fedilink hide all child comments
 

Collection of potential security issues in Jellyfin This is a non exhaustive list of potential security issues found in Jellyfin. Some of these might cause controversy. Some of these are design fla...

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 6 points 1 week ago* (last edited 1 week ago) (12 children)

It isn't randomly generated. If you read through you would have known that.

Also, Rainbow tables.

tldr, Rainbow tables are precomputed lists of hashed values used to crack password hashes quickly. Instead of hashing each password guess on the fly, attackers use these tables to reverse hashes and find the original passwords faster, especially for weak or common ones. They're less effective against hashes protected by a unique salt.

[–] [email protected] 16 points 1 week ago (11 children)

If the ID is the MD5 of the path, rainbow tables are completely useless. You don't have the hash. You need to derive the hash by guessing the path to an existing file, for each file.

[–] [email protected] 2 points 1 week ago (10 children)

How unique do you suppose file system paths are?

How many hashes would one need to gather to quickly determine the root path for all files? Paths are not random so guessing the path is just a rainbow table.

The scanning for known releases becomes trivial once the file system pattern is known.

[–] [email protected] 3 points 1 week ago

If the server is using a standard path prefix and a standard file layout and is using standard file names it isn't that difficult to find the location of a media file and then from there it would be easier to find bore files, assuming the paths are consistent.

But even for low entropy strings, long strings are difficult to brute force, and rainbow tables are useless for this use case.

load more comments (9 replies)
load more comments (9 replies)
load more comments (9 replies)