[Secure-testing-team] Bug#484570: [motion] motion.conf world readable and thus writable through web interface by default
Thijs Kinkhorst
thijs at debian.org
Thu Jun 5 06:54:49 UTC 2008
Hi Nico,
On Thursday 5 June 2008 01:41, Nico Golde wrote:
> That basically makes the control_authentication which is
> used for http authentication useless as an attacker can read
> login credentials and then change the configuration to
> whatever he likes via the web interface of motion (for
> example switching off motion detection).
As I understand it this is a fully optional feature not enabled by default.
When such issues are reported to the stable security team we usually consider
them to be a non-issue following this reasoning: when an administrator
explicitly edits a config file to add credentials to it, that administrator
should be considered capable enough to check whether the file is secured.
Many applications allow for optional secrets to be added, e.g. my Postfix
main.cf has a SASL username & password, but we don't require the Postfix'
main.cf to be 0600 in a default installation. Normally we respond with this
reasoning and advise the maintainer to add a comment right above the setting
to remind the administrator of the file's permissions.
Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 481 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080605/70de7fda/attachment.pgp
More information about the Secure-testing-team
mailing list