Package: motion Version: 3.2.3-2.1 Severity: grave Tags: security X-Debbugs-CC: [EMAIL PROTECTED]
Hi, the default configuration file of motion is world-readable in default installations on Debian: ls -l /etc/motion/motion.conf -rw-r--r-- 1 root root 22085 5. Jun 00:49 /etc/motion/motion.conf That basically makes the control_authentication which is used for http authentication useless as an attacker can read login credentials and then change the configuration to whatever he likes via the web interface of motion (for example switching off motion detection). Kind regards Nico --- System information. --- Architecture: amd64 Kernel: Linux 2.6.24-1-amd64 Debian Release: lenny/sid 500 unstable debian.netcologne.de --- Package information. --- Depends (Version) | Installed ==========================================-+-=================== libavcodec51 (>= 0.svn20080206) | 0.svn20080206-7 libavformat52 (>= 0.svn20080206) | 0.svn20080206-7 libavutil49 (>= 0.svn20080206) | 0.svn20080206-7 libc6 (>= 2.7-1) | 2.7-12 libjpeg62 | 6b-14 libmysqlclient15off (>= 5.0.27-1) | 5.0.51a-6 libpq5 (>= 8.3~beta1) | 8.3.1-2+b1 debconf (>= 0.5) | 1.5.22 OR debconf-2.0 | adduser | 3.107 debconf | 1.5.22 -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgpQgQ8lkLo7j.pgp
Description: PGP signature
