Hi, I'm using mt-daapd 0.9~r1696.dfsg-6 on Debian Lenny (amd64).
As far as I get it there have been 4 security issues reported:
[1] The web interface can be accessed remotely
=> local access only
[2] There is a default password set, which is "mt-daapd"
=> lock admin account per default, set no password
[3] The password isn't checked if you're coming via localhost
=> check password
[4] /etc/mt-daapd.conf stores the admin-pw as clear text
and is world-readable.
=> store the password using a salted hash OR
use the root password like the CUPS webinterface does
=> change file permissions to 0600
This is an absolute security nightmare! Even worse, according to Joshua
Kwan, only [3] and [4] have been (partially) fixed so far.
So my actual experience is: When I install mt-daapd on my machine, the
webinterface is STILL REMOTELY ACCESSABLE and there is STILL A DEFAULT
PASSWORD which is STORED in CLEAR TEXT.
Honestly, installing mt-daapd is IMHO not better than setting your
root-pw to "root" and installing a ssh server!
Alexander Kurtz
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
