2013-02-01, 15:00
Dear All,
There is a serious security hole in XBMC UPnP server (confirmed on 11.0, 12 and latest git, Win/Mac). It is possible to get access to files outside of media library. If UPnP client issues a "Browse" (BrowseDirectChildren) action request with empty ObjectID ("") XMBC server basically will return root filesystem listing. Folders and files from the listing will be cached for http access on server side and direct links will be returned in DIDL response. Due to this, it becomes possible to browse all subfolders starting from root "/" and have http access to any individual file.
Concluding, because of this issue, a potential adversary can get access to any file on machine via UPnP Server of XBMC.
I just create a pull request on github. See link to patch : https://github.com/pamiro/xbmc/commit/70...1b9bcea33c
Best regards,
Pavel Mironchyk
There is a serious security hole in XBMC UPnP server (confirmed on 11.0, 12 and latest git, Win/Mac). It is possible to get access to files outside of media library. If UPnP client issues a "Browse" (BrowseDirectChildren) action request with empty ObjectID ("") XMBC server basically will return root filesystem listing. Folders and files from the listing will be cached for http access on server side and direct links will be returned in DIDL response. Due to this, it becomes possible to browse all subfolders starting from root "/" and have http access to any individual file.
Concluding, because of this issue, a potential adversary can get access to any file on machine via UPnP Server of XBMC.
I just create a pull request on github. See link to patch : https://github.com/pamiro/xbmc/commit/70...1b9bcea33c
Best regards,
Pavel Mironchyk