Ubuntu
mythtv package

mythfilldatabase shows first 6 letters of password with wget command

Bug #672895 reported by Curtis Lee Bolin
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MythTV
Unknown
Unknown
mythtv (Ubuntu)
Fix Released
Low
Unassigned

Bug Description

Binary package hint: mythtv

I saw hard drive activity on my server and ran iotop. I was astonished to see my username and the first 6 letters of my password to my schedulesdirect.org account in the wget command mythfilldatabase was executing. Other people use this server and they could easily see this.

wget --http-user=<username> --http-passwd=<first 6 letters of my password>~0-1.26437 --output-document=- --header=Accept-Encoding:gzip

Thank You For Your TIme

ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: mythtv-backend 0.23.1+fixes26437-0ubuntu1
ProcVersionSignature: Ubuntu 2.6.35-22.35-generic 2.6.35.4
Uname: Linux 2.6.35-22-generic x86_64
Architecture: amd64
Date: Tue Nov 9 00:07:33 2010
Installed_mythplugins-dbg: 0.0
Installed_mythtv-dbg: 0.0
MythTVDirectoryPermissions: lrwxrwxrwx 1 root root 21 2010-10-24 09:04 /var/lib/mythtv -> /media/storage/mythtv
ProcEnviron:
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: mythtv

Revision history for this message
Curtis Lee Bolin (curtisleebolin) wrote :
Revision history for this message
Curtis Lee Bolin (curtisleebolin) wrote :

I also noticed that wget was connecting to a non-ssl link

http://webservices.schedulesdirect.tmsdatadirect.com/schedulesdirect/tvlistings/xtvdService

so I imagine this info is also being transmitted insecurely over the internet.

Thank You For Your Time

Revision history for this message
Kees Cook (kees) wrote :

Thanks for the report! Have you communicated with the upstream MythTV author about this yet?

Changed in mythtv (Ubuntu):
status: New → Confirmed
importance: Undecided → Low
visibility: private → public
Revision history for this message
MarcRandolph (mrand) wrote :

Not sure how this ticket didn't get noticed. I forwarded it upstream.

Changed in mythtv (Ubuntu):
status: Confirmed → Triaged
Bug Watch Updater (bug-watch-updater)
Changed in mythtv:
status: Unknown → Confirmed
Bug Watch Updater (bug-watch-updater)
Changed in mythtv:
status: Confirmed → Unknown
Revision history for this message
Karl Egly (dekarl) wrote :

#9555 has been fixed upstream for the upcoming 0.25 release

Changed in mythtv (Ubuntu):
status: Triaged → Fix Committed
Revision history for this message
Mario Limonciello (superm1) wrote :

0.25 in precise. -> fix released.

Changed in mythtv (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.