#17698 new Bugs

sftp passwords broadcasted in clear to Kodi Remote devices

Reported by: eatdirt Owned by: Montellese
Priority: 4 - Normal
Component: Web Server / Web Interface / Web API / JSON-RPC Version: 17.3 "Krypton" Final
Severity: Normal Keywords: security sftp password in clear
Cc: Blocked By:
Blocking: Platform: All

Description

Hi, I am using a KodiRemote control program on my mobile phone to control Kodi on a Raspberry Pi. This one retrieves some media sources using the sftp protocol to another machine. When accessing these media sources, *from my mobile phone*, the name under which these media sources appears contains the SFTP password in CLEAR!!!! Like this:

sftp://username:[email protected] +list of files

Here a flowchart to reproduce:

MobilePhone ----http:8080------> KodiRPI <-----sftp----- SFTPMediaStorage

The KodiRemote app I am using is the one of SailFish OS

https://openrepos.net/content/ade/kodimote-fork

but the real issue is that KodiRPI is broadcasting the username and password of its sftp sources, in clear, to all remote control apps connected to http:8080.

This is a major security issue :(

Change History (0)

Note: See TracTickets for help on using tickets.