2012-11-05, 22:31
acidgen, no offense intended, but from my perspective that report is incomplete. Specifically, "Potentially any device running XBMC with the webserver might be vulnerable." Would it not be more accurate to say, "Potentially any device running XBMC with the webserver exposed to the internet might be vulnerable"?
And then in solutions, instead of what is there...
"There is a patch as of 2012-11-05. Most users will not be affected, as they likely have not exposed their webserver to the internet. However, users who have opened a port on their server to expose webserver to the internet are advised to disable, or password protect their XBMC Web application with a strong password and username."
To be fair, I assume you wrote the report prior to Montellese's patch, so I'm not too concerned about that bit. But from my understanding, this report MIGHT affect about 1% of extremely advanced XBMC users who have decided they want to control XBMC at their parents' house from their own house, while it is currently worded to suggest that essentially all XBMC users are at risk.
Perhaps I misunderstand the situation, but if I've got it right, presenting the threat as more than it is seems somewhat unprofessional.
And then in solutions, instead of what is there...
"There is a patch as of 2012-11-05. Most users will not be affected, as they likely have not exposed their webserver to the internet. However, users who have opened a port on their server to expose webserver to the internet are advised to disable, or password protect their XBMC Web application with a strong password and username."
To be fair, I assume you wrote the report prior to Montellese's patch, so I'm not too concerned about that bit. But from my understanding, this report MIGHT affect about 1% of extremely advanced XBMC users who have decided they want to control XBMC at their parents' house from their own house, while it is currently worded to suggest that essentially all XBMC users are at risk.
Perhaps I misunderstand the situation, but if I've got it right, presenting the threat as more than it is seems somewhat unprofessional.