#17698 new Bugs

sftp passwords broadcasted in clear to Kodi Remote devices

Reported by: eatdirt Owned by: Montellese
Priority: 4 - Normal
Component: Web Server / Web Interface / Web API / JSON-RPC Version: 17.3 "Krypton" Final
Severity: Normal Keywords: security sftp password in clear
Cc: Blocked By:
Blocking: Platform: All


Hi, I am using a KodiRemote control program on my mobile phone to control Kodi on a Raspberry Pi. This one retrieves some media sources using the sftp protocol to another machine. When accessing these media sources, *from my mobile phone*, the name under which these media sources appears contains the SFTP password in CLEAR!!!! Like this:

sftp://username:[email protected] +list of files

Here a flowchart to reproduce:

MobilePhone ----http:8080------> KodiRPI <-----sftp----- SFTPMediaStorage

The KodiRemote app I am using is the one of SailFish OS


but the real issue is that KodiRPI is broadcasting the username and password of its sftp sources, in clear, to all remote control apps connected to http:8080.

This is a major security issue :(

Change History (0)

Note: See TracTickets for help on using tickets.