Security hole

Gool · Post by **Gool** » Tue Feb 10, 2009 3:12 pm

http://serverip/zm/events/
http://serverip/zm/images/

curtishall · Post by **curtishall** » Tue Feb 10, 2009 5:34 pm

Gool wrote:http://serverip/zm/events/
http://serverip/zm/images/

Technically this isn't a security "hole" or a vulnerability. There are three ways to fix this...throw in a blank index.html file in each directory, throw together a .htaccess or turn off directory listing in the apache configuration.

haus · Post by **haus** » Tue Feb 10, 2009 6:53 pm

Yep - you can edit /etc/apache2/conf.d/zoneminder.conf (or wherever yours sits - this is Ubuntu server 7.10) and where it says "Options Indexes FollowSymLinks", put a "-" sign before the word "Indexes".

Mine now reads:

Options -Indexes FollowSymLinks

This doesn't stop someone from guessing a filename, which may be easier than it looks.

http://server/zm/events/1/nnnnn/001-capture.jpg

Replace "server" with your IP and "nnnnn" with some random numbers and see what you can find...

Post by **zoneminder** » Tue Feb 10, 2009 7:54 pm

The TODO list has an entry to move the images above the web root to prevent this kind of access. You can also try using the deep file system which is much harder to guess but there is no easy migration from one to the other at present.

haus · Post by **haus** » Tue Feb 10, 2009 9:16 pm

That makes sense phil, good todo item. Either way, if you don't advertise your ZM box it's fairly unlikely someone is going to go to such lengths to guess filenames, and you could always use basic auth for another layer of protection.

Post by **cordel** » Tue Feb 10, 2009 10:36 pm

I normally setup basic auth through Apache and in the Apache config I remove the Index directive for the whole tree to not be indexed so someone would have to guess the whole path and files.

I would suggest basic http auth through Apache though anyway regardless.

ZoneMinder Forums

Security hole

Security hole

Re: Security hole