Public bug reported:
The default configuration for this package is to:
1) Listen on all network interfaces instead of localhost
2) Performs no logging at all
To deal with #1, I propose that the "Address" and "OnlyFrom" directives
in the ziproxy.conf file be uncommented by default so that the service
is not exposed to the internet at large unless the user actively takes
steps to configure it to do so.
For #2, I propose uncommenting the "AccessLog" directive by default in
the ziproxy.conf file.
Those two changes would bring this package more inline with the sane
defaults that the squid3 package provides.
The reason I'm filing this bug report is that I recently had a VM that
was being used as an open relay to attack other hosts because of the
default configuration of this package. While I accept responsibility
for not carefully vetting all installed packages on the VM, I am
surprised that a proxy server would listen on interfaces other than
localhost without explicit configuration to do so.
** Affects: ziproxy (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1250952
Title:
Unsafe default configuration poses security risk
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ziproxy/+bug/1250952/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
