Carlo Contavalli
2011-Aug-13 17:53 UTC
[Secure-testing-team] Bug#637685: creates database accessible to anyone from localhost
Package: zoneminder
Version: 1.24.4-1
Severity: minor
Tags: security
The debian package creates a database for zoneminder accessible by
anyone with ssh/console access to the machine (or, well, by anyone
that can use the server as vpn / tunnel endpoint), given that user
and pass is always zmuser and zmpass, and the only restriction
enforced is for the connection to come from localhost.
It''s trivial to change the user and password, and it''s usually
not a big
deal, given that it''s rare to have a camera server with shared access.
But:
- README.Debian / dialogs / ... should mention changing the password.
- postinst could easily generate a random password rather than
always use zmpass.
- /etc/zm/zm.conf should not be world-readable.
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (995, ''testing''), (500,
''oldstable''), (500, ''unstable''), (1,
''experimental'')
Architecture: i386 (i686)
Kernel: Linux 2.6.39-2-686-pae (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash