Jamie Strandboge
2010-May-03 17:48 UTC
[Secure-testing-team] Bug#580120: mediatomb allows anyone to browse and export the whole filesystem
Package: mediatomb Version: 0.12.0~svn2018-6 Severity: grave Tags: security Justification: user security hole This bug was reported to Ubuntu via Launchpad: https://launchpad.net/bugs/569763>From the upstream documentation:at http://mediatomb.cc/pages/documentation#id2856362: "The server has an integrated filesystem browser, that means that anyone who has access to the UI can browse your filesystem (with user permissions under which the server is running) and also download your data! If you want maximum security - disable the UI completely! Account authentication offers simple protection that might hold back your kids, but it is not secure enough for use in an untrusted environment! Note: since the server is meant to be used in a home LAN environment the UI is enabled by default and accounts are deactivated, thus allowing anyone on your network to connect to the user interface." Unfortunately, the Debian/Ubuntu packaging preserves these installation defaults, which IMHO is incorrect behavior for a distribution. A few ways to solve this are: * the web UI should be disabled on new installs * a debconf question should prompt the user to enable the web UI, but default to ''no'' * enable the web UI, but create an account for connecting to it Upstream doesn''t seem confident in mediatomb''s handling of authentication, so it would probably makes sense to not rely on it and simply disable the feature, documenting how to enable it and the pitfalls of enabling it in README.Debian. -- System Information: Debian Release: squeeze/sid APT prefers lucid-updates APT policy: (500, ''lucid-updates''), (500, ''lucid-security''), (500, ''lucid'') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-21-generic (SMP w/2 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash