ADVISORIES | July 1, 2012

XBMC File Traversal Vulnerability

XBMC is an award-winning, free, and open source (GPL) software media player and entertainment hub for digital media. XBMC is available for Linux, OSX, and Windows. Created in 2003 by a group of like-minded programmers, XBMC is a nonprofit project run and was developed by volunteers located around the world. More than 50 software developers have contributed to XBMC, and 100-plus translators have worked to expand its reach, making it available in more than 30 languages.

Currently, XBMC plays almost all popular audio and video formats. It was designed for network playback, so you can stream your multimedia from anywhere in the house or directly from the Internet using almost any protocol available.

XBMC allows you to use your media “as is”. It plays CDs and DVDs directly from the disk or image file, most popular archive formats from your hard drive, and files inside ZIP and RAR archives. It also scans all of your media and automatically creates a personalized library complete with box covers, descriptions, and fan art. It includes playlist and slideshow functions, a weather forecast feature ,and many audio visualizations. After installing XBMC, your computer will become a fully functional multimedia jukebox.

This vulnerability is exploitable and tested on XBMC 11 and the latest nightly build of 20121028 for Linux, Raspberry Pi, and a Jailbroken AppleTV 2. XBMC. Any device running XBMC with the web server might be vulnerable. XBMC is not installed by default on any of the tested platforms. The XBMC team was notified of the vulnerability on October 31, 2012 and has approved the release of this advisory.

Launch PDF