Bug#747428: [xbmc] passwords are stored in plain xml file
Bálint Réczey
balint at balintreczey.hu
Mon May 19 17:41:04 UTC 2014
Control: found -1 2:11.0~git20120510.82388d5-1
Control: tags -1 confirmed
2014-05-08 16:41 GMT+02:00 Adrien Grellier <perso at adrieng.fr>:
> Package: xbmc
> Version: 2:13.0+dfsg1-1
> Severity: grave
> Tags: security
> X-Debbugs-CC: secure-testing-team at lists.alioth.debian.org
>
> Hi,
>
> I just add a webdav source in xbmc, so it asks for a username and password. But these informations are then stored in a plain XML file: ~/.xbmc/userdata/sources.xml, moreover a world readable file:
>
> adrien ~/ $ ls -l .xbmc/userdata/sources.xml
> -rw-r--r-- 1 adrien adrien 1006 mai 8 16:34 .xbmc/userdata/sources.xml
>
>
> This file should be at least chmod 700 and the users should be informed that the password will be stored in a unsafe manner.
>
> Regards,
>
> Adrien
>
> --- System information. ---
> Architecture: amd64
> Kernel: Linux 3.13-1-amd64
>
> Debian Release: jessie/sid
> 900 testing security.debian.org
> 900 testing ftp.fr.debian.org
> 800 unstable ftp.fr.debian.org
> 700 experimental ftp.fr.debian.org
>
> --- Package information. ---
> Depends (Version) | Installed
> ============================================-+-=======================
> xbmc-bin (>= 2:13.0+dfsg1-1) | 2:13.0+dfsg1-1
> xbmc-bin (<< 2:13.0+dfsg1-1.1~) | 2:13.0+dfsg1-1
> mesa-utils | 8.1.0-2+b1
> x11-utils | 7.7+1
> fonts-dejavu-core | 2.34-1
> OR ttf-dejavu-core | 2.34-1
> fonts-roboto | 1:4.3-3
> libjs-jquery | 1.7.2+dfsg-3
> libjs-iscroll | 5.1.1+dfsg1-1
> python-imaging | 2.3.0-2
> python:any (>= 2.7.5-5~) |
>
>
> Package's Recommends field is empty.
>
> Package's Suggests field is empty.
More information about the pkg-multimedia-maintainers
mailing list