Hi, I'm using mt-daapd 0.9~r1696.dfsg-6 on Debian Lenny (amd64).
As far as I get it there have been 4 security issues reported: [1] The web interface can be accessed remotely => local access only [2] There is a default password set, which is "mt-daapd" => lock admin account per default, set no password [3] The password isn't checked if you're coming via localhost => check password [4] /etc/mt-daapd.conf stores the admin-pw as clear text and is world-readable. => store the password using a salted hash OR use the root password like the CUPS webinterface does => change file permissions to 0600 This is an absolute security nightmare! Even worse, according to Joshua Kwan, only [3] and [4] have been (partially) fixed so far. So my actual experience is: When I install mt-daapd on my machine, the webinterface is STILL REMOTELY ACCESSABLE and there is STILL A DEFAULT PASSWORD which is STORED in CLEAR TEXT. Honestly, installing mt-daapd is IMHO not better than setting your root-pw to "root" and installing a ssh server! Alexander Kurtz
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil