CVE-2018-9160

An attacker who can view any HTTP response from the SickRage web interface (e.g., by browsing to a configuration page or intercepting network traffic) can obtain cleartext credentials. The web interface rendered passwords, API keys, and tokens directly into HTML input fields as the `value` attribute, even when the application was not password-protected [CWE-522]. Because the credentials were embedded in the page source, any user with access to the web UI—or an attacker who can trigger a reflected response containing these fields—could read them without authentication. The exploit-db reference confirms that simply viewing the configuration page source reveals the plaintext secrets [ref_id=2].

The vulnerability resides in `sickbeard/webserve.py` and multiple Mako templates under `gui/slick/views/`. In `webserve.py`, the `async_call` method and various `save*` handlers (e.g., `saveGeneral`, `saveSearch`, `saveNotifications`, `saveSubtitles`, `saveAnime`) directly assigned raw credential values from HTTP arguments to SickRage configuration variables without applying the `filters.unhide` function [patch_id=1703057]. The Mako templates (e.g., `config_search.mako`, `config_notifications.mako`, `config_general.mako`, `config_providers.mako`, `config_subtitles.mako`, `config_anime.mako`) rendered those credentials into HTML `value` attributes using `${sickbeard.SAB_PASSWORD}` or `${'*' * len(...)}` instead of the new `|hide` filter [ref_id=1].

The patch introduces two complementary changes. First, a new `filters.unhide` function is called in every `save*` handler in `webserve.py` so that when a form POST includes a credential field, the stored value is only updated if the submitted value differs from a masked placeholder—preventing the masked placeholder from overwriting the real secret [patch_id=1703057]. Second, all Mako templates now apply the `|hide` filter (imported from `sickbeard.filters`) to credential variables when rendering the `value` attribute, so the HTML output shows asterisks instead of the actual secret [ref_id=1]. Together, these changes ensure that credentials are never exposed in the HTML source and cannot be accidentally overwritten by a masked form submission.

1. Navigate to any SickRage configuration page that contains credential fields (e.g., Config > Search, Config > Notifications, Config > Providers). 2. View the page source (right-click > View Page Source). 3. Observe that the `value` attributes of password and API key input fields contain the cleartext secrets. For example, `