Login at Kodi Home

gkweb76 · 2016-08-04, 22:36

Hello,

I have found a minor remote vulnerability in Kodi. Can an official developper or admin contact me back so I can give you all the details to fix it?

Thanks in advance.
Regards,
Guillaume

**Martijn** · 2016-08-04, 22:44

Why don't you just post it here so it could be fixed by someone why has time for v17
Regardless there won't be any update for v16 anymore.

gkweb76 · 2016-08-05, 08:02

I usually never disclose vulnerabilities publicily, instead I privately report it to the developpers, giving a reasonable time for a fix (even for a minor vulnerability).
However I wasn't aware v16 was EOL and would not be fixed. I will thus publish the vulnerability soon and post it here then. If a developper want to take a look at it before I do that, send me a mail/PM.

Regards,
Guillaume

gkweb76 · 2016-08-07, 11:28

Kodi embedded web server can be remotely crashed by sending a single GET request containing "../" multiple times.

A working exploit is available at : https://www.exploit-db.com/exploits/40208/

Regards,
Guillaume

**Paxxi** · 2016-08-07, 11:50

I feel it's been forgotten. Thank you for reporting this gkweb76, there's been some work in the pipeline to protect against path traversal that might resolve this issue but haven't tested to see if it actually does.