Package: hellanzb
Version: 0.10-1
Severity: important
Tags: patch
*** Please type your report below this line ***
The installed configfile /etc/hellanzb.conf contains the following:
Hellanzb.XMLRPC_PASSWORD = "changeme"
While this is a reasonable recommendation, it is an active value, and
will allow users to connect using the password "changeme" to control any
runnning hellanzb daemon, resulting in at least denial of service
possibilities.
The obvious possibilities include shutting the daemon down, filling the
disk, and causing hellanzb to download content of the attacker's
choosing (by creating a post on usenet and then submitting a matching
nzb). The last may be significantly helpful in mounting an intrusion
attack. I do not know if hellanzb's postprocessing is safe against
unpacking executable-bit-set files.
Also there is the unplesantness of having this program (which I'm sure
is not really designed with security as the first priority) listening to
the internet on a default port, when it is not really apparent that it
will behave as a network server. Additionally, there have been security
problems within XMLRPC implementations before, and hellanzb itself may
not even need to have a flaw to expose the user.
Recommendations:
- Consider adding a debconf setting to force the administrator to pick
some kind of password, or at least to warn about the issue on
install.
- Consider patching hellanzb to refuse to start when a password is not
explicitly set (this may be true now, I'm not in a good position to
test at the moment), requiring the administrator or user to edit the
configfile and choose a password of their own.
- Patch hellanzb to listen on the interface supplied in
Hellanzb.XMLRPC_SERVER, or perhas a new, additional config value such
as Hellanzb.XMLRPC_LISTEN
An example patch (generated in reverse) is located in the upstream
ticket system here: http://www.hellanzb.com/trac/hellanzb/ticket/249
Applying this patch with the current configfile will cause Hellanzb
to listen to localhost only in combination with the current default
configuration file, which will be a marked improvement to the
package. The author is understanding of the issue and may apply this
patch or a variant in the future.
- Really the ideal would be for the IPC to work over UNIX domain
sockets by default, but I'm certainly not going to bother to author
that patch. :-)
By the way, thanks for packaging this program. It works very well.
Your confDirs patch is a nice touch, which I used when upgrading to 0.11
myself.
-- System Information:
Debian Release: 4.0
APT prefers testing
APT policy: (990, 'testing')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.19.2-jsr1
Locale: LANG=en_US.iso88591, LC_CTYPE=en_US.iso88591 (charmap=ISO-8859-1)
Versions of packages hellanzb depends on:
ii par2 0.4-8 Parity Archive Volume Set, for che
ii python 2.4.4-2 An interactive high-level object-o
ii python-support 0.5.6 automated rebuilding support for p
ii python-twisted-core 2.4.0-3 Event-based framework for internet
ii python-twisted-web 0.6.0-1 An HTTP protocol implementation to
hellanzb recommends no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
