cantata starts internal http server on external network interface by default, it is not possible to disable http server, but you can choose to listen localhost only. I investigated how much it possible to download using this server: it lets anyone from external network and any user from your system to download any readable for you file. Even your ssh private keys. I reported problem upstream: https://code.google.com/p/cantata/issues/detail?id=356 Mistake is very obvious, not sure if it is not backdoor. cantata checks only 2 things: 1) user agent: https://code.google.com/p/cantata/source/browse/trunk/http/httpsocket.cpp?spec=svn3682&r=3682#183 if (str.startsWith("User-Agent:") && str.contains("Music Player Daemon")) { return true; } 2) 'cantata=song' in url: https://code.google.com/p/cantata/source/browse/trunk/http/httpserver.cpp?spec=svn3687&r=3687#237 if (q.hasQueryItem("cantata") && q.queryItemValue("cantata")=="song") { So simple wget command works fine for getting ssh keys: wget --user-agent='Music Player Daemon 0.17.4' "http://127.0.0.1:37420/home/me/.ssh/id_rsa?cantata=song -O id_rsa
Thanks for the report
Rerate as ~3, cause there are no stable versions in tree. 1.2.2 fixes this issue, so closing this as FIXED too.
CVE-2013-7301 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7301): Cantata before 1.2.2 does not restrict access to files in the play queue, which allows remote attackers to obtain sensitive information by reading the songs in the queue. CVE-2013-7300 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7300): Absolute path traversal vulnerability in cantata before 1.2.2 allows local users to read arbitrary files via a full pathname in a request to the internal httpd server. NOTE: this vulnerability can be leveraged by remote attackers using CVE-2013-7301.
