Bug#747428: [xbmc] passwords are stored in plain xml file
Adrien Grellier
perso at adrieng.fr
Thu May 8 14:41:28 UTC 2014
Package: xbmc
Version: 2:13.0+dfsg1-1
Severity: grave
Tags: security
X-Debbugs-CC: secure-testing-team at lists.alioth.debian.org
Hi,
I just add a webdav source in xbmc, so it asks for a username and password. But these informations are then stored in a plain XML file: ~/.xbmc/userdata/sources.xml, moreover a world readable file:
adrien ~/ $ ls -l .xbmc/userdata/sources.xml
-rw-r--r-- 1 adrien adrien 1006 mai 8 16:34 .xbmc/userdata/sources.xml
This file should be at least chmod 700 and the users should be informed that the password will be stored in a unsafe manner.
Regards,
Adrien
--- System information. ---
Architecture: amd64
Kernel: Linux 3.13-1-amd64
Debian Release: jessie/sid
900 testing security.debian.org
900 testing ftp.fr.debian.org
800 unstable ftp.fr.debian.org
700 experimental ftp.fr.debian.org
--- Package information. ---
Depends (Version) | Installed
============================================-+-=======================
xbmc-bin (>= 2:13.0+dfsg1-1) | 2:13.0+dfsg1-1
xbmc-bin (<< 2:13.0+dfsg1-1.1~) | 2:13.0+dfsg1-1
mesa-utils | 8.1.0-2+b1
x11-utils | 7.7+1
fonts-dejavu-core | 2.34-1
OR ttf-dejavu-core | 2.34-1
fonts-roboto | 1:4.3-3
libjs-jquery | 1.7.2+dfsg-3
libjs-iscroll | 5.1.1+dfsg1-1
python-imaging | 2.3.0-2
python:any (>= 2.7.5-5~) |
Package's Recommends field is empty.
Package's Suggests field is empty.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20140508/dde322f1/attachment.sig>
More information about the pkg-multimedia-maintainers
mailing list