Boxee SMB security hole revealed

**nfodiz** · May 4th, 2012, 12:39 PM

Boxee SMB Security Hole

SOURCE http://blog.kteck.ca/2012/05/04/boxe...security-hole/

After doing some research on how the Boxee remote system worked i found some urls for doing basic control/info retrieval from the older desktop software/ current software on Boxee box. One of which was now playing status. After messing with some of the others I went back to the now playing url and noticed something that didn’t seem right.

Boxee doesn’t store the smb (Windows file sharing) authentication in a secure data store and securely retrieve it like is done on modern systems. Instead it sends the username/password as part of EVERY request for media shared from a windows computer. That means every request for media sent out is done in this format *“smb://<username>:<password>/path/to/media/file.<extension>”. Which is not a secure method especially since app developers can do remote apps that interact with the software even to the extent of requesting currently playing media.

While this isn’t a major issue on a single user network the issue really comes to focus on a muli-user shared network. Without a fix in the core of the Boxee software all you can do is setup your share security so a Boxee only user is exposed. For example make new user that is just for Boxee media shares or just setup your media shares to allow anyone to read but need authenticated user to write that way either a non important user is exposed or it can access the media without needing login.

**iRoNBiLL** · May 4th, 2012, 01:05 PM

Patiently awaiting a response to this one. I always love to see responses from somebody official...

Where's my popcorn... I'm pulling up a chair now and waiting.

**nfodiz** · May 4th, 2012, 01:08 PM

An official response from Team Boxee would be great. I would like to see this fixed sooner rather than later

**influx2k** · May 5th, 2012, 01:40 PM

You should submit a bug report in jira. The forum is not the place for this.

**Scirocca** · May 5th, 2012, 05:36 PM

Why use SMB?

**nfodiz** · May 5th, 2012, 05:37 PM

Originally Posted by influx2k

You should submit a bug report in jira. The forum is not the place for this.

I had already filed a jira bug report (not that anything will happen with it)
I disagree though that this should not have been posted here in the forums. Customers have a right to know about security holes in their systems and ways to work around the issue until a patch is released. Thanks for your valuable input though

**nfodiz** · May 5th, 2012, 05:39 PM

Originally Posted by Scirocca

Why use SMB?

I don't but i'm sure a lot of people out there do.

**nfodiz** · May 6th, 2012, 06:50 AM

What did I tell you

Ami Ben-David [Boxee] added the Fix Version 'Support' to BOXEE-12893 - Boxee SMB security hole

Why move this to support?!

**Umpa** · May 6th, 2012, 12:28 PM

My boxee does not access my computer at all, but uses a NAS(s) and each NAS has a boxee account which is set to read only. I don't see this a security threat on my network.