2009-04-01, 21:43
A few remote exploits were brought to our attention recently and have been fixed in r19126. It is recommend that you disable the web server until you can get a build at or later than this one installed. This goes double if you're doing something stupid like running XBMC on a priveleged account or exposing the server to the internet.
All database access through the httpapi has been disabled until a denial of service, in the form of a segfault, can be resolved.
A HUGE thanks goes out to n00b for the security audit and PoC code. Keep up the good work!
EDIT: You can disable the web server in settings > network > servers.
UPDATE: All the exploits reported by n00b should be fixed as of r19131. Of course running XBMC on a privileged account and exposing the servers to the Internet is still not advised. -d4rk.
All database access through the httpapi has been disabled until a denial of service, in the form of a segfault, can be resolved.
A HUGE thanks goes out to n00b for the security audit and PoC code. Keep up the good work!
EDIT: You can disable the web server in settings > network > servers.
UPDATE: All the exploits reported by n00b should be fixed as of r19131. Of course running XBMC on a privileged account and exposing the servers to the Internet is still not advised. -d4rk.