[Secure-testing-team] Bug#637685: creates database accessible to anyone from localhost
Carlo Contavalli
ccontavalli at gmail.com
Sat Aug 13 17:53:15 UTC 2011
Package: zoneminder
Version: 1.24.4-1
Severity: minor
Tags: security
The debian package creates a database for zoneminder accessible by
anyone with ssh/console access to the machine (or, well, by anyone
that can use the server as vpn / tunnel endpoint), given that user
and pass is always zmuser and zmpass, and the only restriction
enforced is for the connection to come from localhost.
It's trivial to change the user and password, and it's usually not a big
deal, given that it's rare to have a camera server with shared access.
But:
- README.Debian / dialogs / ... should mention changing the password.
- postinst could easily generate a random password rather than
always use zmpass.
- /etc/zm/zm.conf should not be world-readable.
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (995, 'testing'), (500, 'oldstable'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.39-2-686-pae (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
More information about the Secure-testing-team
mailing list