[Fixed in CME v1.0.2019.0630] CMC XML files storing Windows Password in clear text?

bscholl · Post by **bscholl** » Sat Jun 29, 2019 10:11 pm

Paul,

I upgraded to the new CMC v2.2 and had great success importing my TV series metadata from MyMovies. I had a couple of series that I needed to update the MyMovies profiles, and in troubleshooting that issue, I discovered my Windows credentials are being written to the new CMC XML files titled mmTitle.xlm. It happens near the end of the file under the DunePaths location for both movies and TV series.

Do I have something misconfigured in MyMovies or CMC or is this working as intended? It seems to be a huge security risk storing my Windows password in plain text throughout the hard drive and in hundreds of folders. See below for an example of what I am seeing near the end of all XML files created my CMC. I removed my actual password from the example and replaced it with "PASSWORD" below.

Brian Scholl

SAMPLE mmTitle.xml

<WatchedEvents>
<WatchedEvent Name="" Date="3/9/2012 12:00:00 AM" Before="False" State="-1" Session="" How="" Notes=""/>
</WatchedEvents>
<DataChanged>11/23/2014 4:53:35 PM</DataChanged>
<DiscLocations>
<Disc Name="Disc 1" TypeA="1" LocationA="smb://HTPC/Blu-Ray3/Apollo 13"/>
</DiscLocations>
<Locations/>
<DunePaths>
<![CDATA[Disc 1##BluRay##smb://Brian Scholl:PASSWORD@HTPC/Blu-Ray3/Apollo 13/APOLLO_13_GLO_G51.iso]]>
</DunePaths>
</PersonalData>
</Title>

Jamie · Post by **Jamie** » Sun Jun 30, 2019 12:10 pm

I have the same issue. The CME is storing the SMB username and password for all my drobos in the mmTitle.xml files. Good catch!

Post by **Pauven** » Sun Jun 30, 2019 12:47 pm

The Dune Paths, with the username and password, come from the API. For the most part, CME just dumps the API data to a file.

I can see that this needs to be filtered out. CMC doesn't need this data, so I can safely remove the <DunePaths> tag without causing any issues. I'll go ahead make this change.

Thanks for letting me know.

bscholl · Post by **bscholl** » Sun Jun 30, 2019 1:11 pm

I’m relieved to hear it’s not a requirement to store the passwords in clear text. Looks like I’ll best testing the CME Metadata Cleanup utility once the program is updated to delete and recreate the CME xml files.

Thanks,
Brian

Post by **Pauven** » Sun Jun 30, 2019 4:57 pm

I have made this change, and it is in testing now. Hope to have test results soon and will get this out for everyone to use.

Post by **Pauven** » Sun Jun 30, 2019 8:46 pm

I just released CME v1.0.2019.0630 as part of the CMC v2.2.2019.0630 update. It includes this fix.

bscholl · Post by **bscholl** » Mon Jul 01, 2019 9:34 am

Paul,
Thank you for updating your software so quickly to address my security concern. I used the metadata cleanup tool to remove the existing CMC xml files and then updated to your latest build of CMC. After re-running the export utility, the newly created mmTitle.xml files no longer contains my Windows credentials.
One benefit of running the cleanup was that a couple of TV series that that wouldn’t display the seasons and episodes is now working correctly. Previously, they would display only the discs.
Thanks again for addressing this problem immediately, and on a Sunday afternoon!
Brian

[Fixed in CME v1.0.2019.0630] CMC XML files storing Windows Password in clear text?

[Fixed in CME v1.0.2019.0630] CMC XML files storing Windows Password in clear text?

Re: CMC XML files storing Windows Password in clear text?

Re: CMC XML files storing Windows Password in clear text?

Re: CMC XML files storing Windows Password in clear text?

Re: CMC XML files storing Windows Password in clear text?

Re: CMC XML files storing Windows Password in clear text?

Re: [Fixed in CME v1.0.2019.0630] CMC XML files storing Windows Password in clear text?