I'm just getting started with ZoneMinder but so far, I'm very impressed !
Since I'm running the console on a publically accessible website, I'm using the ZM_OPT_USE_AUTH option to require logins. However, I noticed that I could still connect directly to the url for zms (http://mysite/cgi-bin/zms) and see a live feed without any authentication at all.
I think this is not an zm issue since people should not be able to reach paths outside your web directory. At least they can't on my boxes.
Make sure your cgi-bin is not inside your webdirectory
I use /var/www/html as my webdirectory and
/var/www/cgi-bin
I disagree, the location of the streaming server executable is neither here nor there. The problem is that people can access the streams simply by guessing the camera number and keying it into the stream url.
I've had a look at the source for zms and it's not as easy to change as it might appear - the id of the logged-on user is stored in a session variable rather than a cookie, thus making it quite difficult to extract the information. (FYI, session variables are stored in a text file on the server whilst cookies appear as environment variables)
Adding full authentication to the zms programs is near the top of my priority list. I did start on it a while back but it turned out a little too flaky so I went back to the drawing board and started again.
I think the method I will be taking is either (a) storing sessions in the database and accessing this session information from zms itself, or (b) generating a hashed cookie from the user/password information and using that to authenticate. Method (a) is more secure but enforces a particular sessions storage mechanism which some people might not like while (b) is much simpler and would prevent casual snooping but would probably not prevent session hijacking or other more sophisticated snoops.
I may end up doing (b) initially and then (a) later, though actually there's a lot to be said for having session information in the database anyway.
I've done a mod for 1.20.0 (which is nearly done) which passes the username and an authentication string to zms when invoked. This authentication string is an md5 hash of the username, password hash, remote address,time of day and secret. Zms then generates it's own hash from what it knows and if they match then you are in.
It's not 100% immune to attack but each hash is only valid for an hour or so (to start a stream, once started they can run forever), so even if someone spoofed the remote IP and sniffed a hash it would only work for a very limited time. Frankly I think that if someone is spoofing your IP and sniffing your connection you probably have more to worry about than just ZM streaming.
