API test console security

Is there a security risk in the API test console?

Is it possible via the test console to upload/download a file to the server tmp folder?

Hi @benny_1,

There is really nothing you can do via the TestMe console that cannot be done via the API directly, in fact, it simply makes API calls itself.
The Admin Console of course allows you to perform many sensitive operations that you would not want to expose to just anyone but the TestMe Console itself simply allows you to test the API and a KS is needed for making most requests.
As for uploading, you can perform an upload the same way you would from KMC, which also makes use of the API [being Flash, it uses the Flex client]. I’m a bit confused about the ‘server tmp folder’ part of your question, however, all uploads make it into /opt/kaltura/web/content/uploads which is the value set for upload_tmp_dir in kaltura.ini under the PHP scandir. From there, the batch daemon handles the digestion.

I don’t know what your end goal is [I could probably offer better solutions if you explain the scenario] but if you’re just looking to test the upload process, you can use /opt/kaltura/bin/upload_test.php which is called as part of the kaltura-sanity.sh script. It’s a CLI script you can use independently.

I have 2 old kaltura servers.

One with 10.2 and the other with 6.2.

In both of them, i found in the /tmp folder malicious scripts that were owned by the kaltura user.

I am just trying to find out where could the source of this security breach be from.

Hi @benny_1,

Since this is a sensitive issue, I answered you in private.
In general, it is best that you upgrade all your instances to the latest version [12.10.0].