this post was submitted on 18 Jul 2025
91 points (85.8% liked)

Selfhosted

60281 readers
604 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Detailed Rules Post

  1. Be civil.

  2. No spam.

  3. Posts are to be related to self-hosting.

  4. Don't duplicate the full text of your blog or readme if you're providing a link.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
 

No awards are needed, just wanted to share my excitement that while my Jellyfin server still keeps loosing my entire library every 24 hours at least now it has a domain and ssl cert!

That is all. Happy Friday everyone

you are viewing a single comment's thread
view the rest of the comments
[–] mic_check_one_two@lemmy.dbzer0.com 9 points 11 months ago* (last edited 11 months ago) (1 children)

There are a few security issues with it, but all of the worst known issues require a valid login token. So an attacker would already need to have valid login credentials before they could actually do anything bad. Things like being able to stream video without authentication (but it requires already having a list of the stored media on the server, which means you have been logged in before). Or being able to change other users’ settings (but it requires already being logged in to a valid user).

Basically, make sure you use good passwords, and actually trust any other users to do the same.

[–] Dhs92@piefed.social 9 points 11 months ago

The bug you mentioned actually just requires the attacker knows your local media paths to generate the hash. The issue is that most people use trash guides to setup *arr which means they probably have the same paths for everything