mythfilldatabase shows first 6 letters of password with wget command

Bug #672895 reported by Curtis Lee Bolin on 2010-11-09
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MythTV
Unknown
Unknown
mythtv (Ubuntu)
Low
Unassigned

Bug Description

Binary package hint: mythtv

I saw hard drive activity on my server and ran iotop. I was astonished to see my username and the first 6 letters of my password to my schedulesdirect.org account in the wget command mythfilldatabase was executing. Other people use this server and they could easily see this.

wget --http-user=<username> --http-passwd=<first 6 letters of my password>~0-1.26437 --output-document=- --header=Accept-Encoding:gzip

Thank You For Your TIme

ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: mythtv-backend 0.23.1+fixes26437-0ubuntu1
ProcVersionSignature: Ubuntu 2.6.35-22.35-generic 2.6.35.4
Uname: Linux 2.6.35-22-generic x86_64
Architecture: amd64
Date: Tue Nov 9 00:07:33 2010
Installed_mythplugins-dbg: 0.0
Installed_mythtv-dbg: 0.0
MythTVDirectoryPermissions: lrwxrwxrwx 1 root root 21 2010-10-24 09:04 /var/lib/mythtv -> /media/storage/mythtv
ProcEnviron:
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: mythtv

I also noticed that wget was connecting to a non-ssl link

http://webservices.schedulesdirect.tmsdatadirect.com/schedulesdirect/tvlistings/xtvdService

so I imagine this info is also being transmitted insecurely over the internet.

Thank You For Your Time

Kees Cook (kees) wrote :

Thanks for the report! Have you communicated with the upstream MythTV author about this yet?

Changed in mythtv (Ubuntu):
status: New → Confirmed
importance: Undecided → Low
visibility: private → public
MarcRandolph (mrand) wrote :

Not sure how this ticket didn't get noticed. I forwarded it upstream.

Changed in mythtv (Ubuntu):
status: Confirmed → Triaged
Changed in mythtv:
status: Unknown → Confirmed
Changed in mythtv:
status: Confirmed → Unknown
Karl Dietz (dekarl) wrote :

#9555 has been fixed upstream for the upcoming 0.25 release

Changed in mythtv (Ubuntu):
status: Triaged → Fix Committed
Mario Limonciello (superm1) wrote :

0.25 in precise. -> fix released.

Changed in mythtv (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.