Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CALfBxESL4MhUEZ_sg+CPBCmsJki3QVHDAhvkTSJ4niR3KeqKww@mail.gmail.com>
Date: Wed, 10 Feb 2016 14:41:16 +0100
From: Andreas Lindh <addelindh@...il.com>
To: oss-security@...ts.openwall.com, cve-assign@...re.org
Subject: CVE request for Media Player Classic

Hi list, CVE-assign,

On the 14th of November 2015, Media Player Classic - Home Cinema (MPC-HC)
disabled the preview function in the MPC-HC Web UI in version 1.7.10, as
this function could be abused to steal private images from the machine
running MPC-HC with the Wen UI enabled.

See https://mpc-hc.org/changelog/ for the MPC-HC changelog, and
http://haxx.ml/post/125666329821/abusing-the-mpc-hc-webui-to-steal-private-pictures
for more details on the issue and practical exploitation of it.

The main issue here is that the Web UI does not have any authentication,
something which (besides the already mentioned issue) enables an attacker
on the same network to start media files on the MPC-HC running on the
affect machine.

Could a CVE be assigned for this please?

Cheers,
Andreas

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.