[mythtv] Attackers can read any file on host via MythTV

Jonathan T Wang jtwang at MIT.EDU
Sun Mar 20 06:17:01 UTC 2005

Previous message: [mythtv] pcHDTV and air2PC simulataneously?
Next message: [mythtv] Attackers can read any file on host via MythTV
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

I believe I've found a security hole in Myth - in
MainServer::LocalFilePath, MythTV does not check whether the QUrl passed
in by the client in MainServer::HandleAnnounce contains any instances
of "../"

This means that an attacker could cause MythTV to send him any file on the
system readable by the mythtv user.

Thanks,
Jonathan

Previous message: [mythtv] pcHDTV and air2PC simulataneously?
Next message: [mythtv] Attackers can read any file on host via MythTV
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the mythtv-dev mailing list