Page 1 of 1
Security hole
Posted: Tue Feb 10, 2009 3:12 pm
by Gool
Re: Security hole
Posted: Tue Feb 10, 2009 5:34 pm
by curtishall
Technically this isn't a security "hole" or a vulnerability. There are three ways to fix this...throw in a blank index.html file in each directory, throw together a .htaccess or turn off directory listing in the apache configuration.
Posted: Tue Feb 10, 2009 6:53 pm
by haus
Yep - you can edit /etc/apache2/conf.d/zoneminder.conf (or wherever yours sits - this is Ubuntu server 7.10) and where it says "Options Indexes FollowSymLinks", put a "-" sign before the word "Indexes".
Mine now reads:
Options -Indexes FollowSymLinks
This doesn't stop someone from guessing a filename, which may be easier than it looks.
http://server/zm/events/1/nnnnn/001-capture.jpg
Replace "server" with your IP and "nnnnn" with some random numbers and see what you can find...
Posted: Tue Feb 10, 2009 7:54 pm
by zoneminder
The TODO list has an entry to move the images above the web root to prevent this kind of access. You can also try using the deep file system which is much harder to guess but there is no easy migration from one to the other at present.
Posted: Tue Feb 10, 2009 9:16 pm
by haus
That makes sense phil, good todo item. Either way, if you don't advertise your ZM box it's fairly unlikely someone is going to go to such lengths to guess filenames, and you could always use basic auth for another layer of protection.
Posted: Tue Feb 10, 2009 10:36 pm
by cordel
I normally setup basic auth through Apache and in the Apache config I remove the Index directive for the whole tree to not be indexed so someone would have to guess the whole path and files.
I would suggest basic http auth through Apache though anyway regardless.
