2011-11-22, 17:10
Hi guys,
First off, as a new user of XBMC, I have to say that it's a damn marvellous bit of software. Thanks to all who've worked on it.
Secondly, I've found a security hole on the login screen when using multiple profiles. OK, so it was actually my 6-year old son who found it, I just worked out how he did it.
Basically, if you have an "ActivateWindow" command mapped to a button, it's possible to bypass the login screen and get Master User access.
To replicate the issue, create a second profile with no password, add a password for the Master user and enable the login screen.
With the simple keymap.xml setting below, press F11 while on the login screen and you will bypass the login screen without either choosing a user, or entering a password. The Home screen will be activated with you logged in with the Master user's profile.
Looking at the code for the login screen, it appears that an attempt is made to only allow the ShutDown built-in action to be performed whilst on this screen. Unfortunately the comparison used is incorrect and also relies on the action's name being in lower case.
I've raised a ticket for this which includes a patch for review which fixes this issue.
Ticket is: http://trac.xbmc.org/ticket/12226
Cheers
Muttley
First off, as a new user of XBMC, I have to say that it's a damn marvellous bit of software. Thanks to all who've worked on it.
Secondly, I've found a security hole on the login screen when using multiple profiles. OK, so it was actually my 6-year old son who found it, I just worked out how he did it.
Basically, if you have an "ActivateWindow" command mapped to a button, it's possible to bypass the login screen and get Master User access.
To replicate the issue, create a second profile with no password, add a password for the Master user and enable the login screen.
With the simple keymap.xml setting below, press F11 while on the login screen and you will bypass the login screen without either choosing a user, or entering a password. The Home screen will be activated with you logged in with the Master user's profile.
Code:
<keymap>
<global>
<keyboard>
<f11>ActivateWindow(Home)</f11>
<f12>ShutDown</f12>
</keyboard>
</global>
</keymap>Looking at the code for the login screen, it appears that an attempt is made to only allow the ShutDown built-in action to be performed whilst on this screen. Unfortunately the comparison used is incorrect and also relies on the action's name being in lower case.
I've raised a ticket for this which includes a patch for review which fixes this issue.
Ticket is: http://trac.xbmc.org/ticket/12226
Cheers
Muttley
