mirror of
https://github.com/motioneye-project/motioneye.git
synced 2026-03-02 22:57:06 -05:00
Lack of a default user password exposes config file which contains potentially sensitive information #2132
Labels
No labels
Android app
Arch Linux
CI/CD
CSS
FreeBSD
HTML/HTTP
Home Assistant addon
JavaScript
Python
Raspberry Pi
Stale No Activity 60 Days
bug
code format
dependencies
dev branch
docker
documentation
duplicate
enhancement
feature
help wanted
i18n/l10n
invalid
legacy motionEye
meta
motion
motionEyeOS
notourproblem
python update
question
question
security
troubleshooting
wontfix
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/motioneye#2132
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @pizza-power on GitHub (Feb 17, 2022).
Originally assigned to: @MichaIng, @jmichault on GitHub.
Last time I posted (in motioneyeOS maybe) about the default lack of admin password/easily bruteforced password, leaving users open to remote code execution, and it was seen as a non-issue, so this may also be a non-issue to you.
If a "user" password is unset, even if an "admin" password is set, the config file at the "/config/list" endpoint remains viewable to anybody that has access to the MotionEye instance. Using Shodan, I've found a large amount of them open to the public.
This config file contains some highly sensitive information such as email addresses and passwords for various services where uploading of files occur such as external FTP, SFTP, gmail, gdrive, telegram, and potentially others.
I just wanted to post this so people know that even if they set an "admin" password, they also need to set a "user" password - especially if their config contains sensitive information like credentials for an upload service - and even more especially if they also expose their MotionEye instance to the internet.
@starbasessd commented on GitHub (Feb 17, 2022):
Thank you for your notification.
@zagrim commented on GitHub (Feb 17, 2022):
I for one didn't know that, and didn't even realise there is such an endpoint in ME. I wonder if
/configendpoints should require admin to be able to access them. Not that it would make other auth issues right though.@starbasessd commented on GitHub (Feb 18, 2022):
@pizza-power
Which set of install instructions did you use for testing on what hardware?
I want to confirm at what level is the vulnerability introduced, and is it a python2.7 issue, a libmicrohttp12 issue, or something in the motionEye scripts specifically.
@starbasessd commented on GitHub (Feb 18, 2022):
Nevermind. It exists in both motioneye and motioneyeOS. It's a json report page. Reporting as a bug.
Still need to find out where it is introduced / enabled.
@pizza-power commented on GitHub (Feb 18, 2022):
I tested with the latest docker image from the docker-compose and then just 0.42.1 I downloaded from github and manually ran. Both on Ubuntu 21.10 x86_64 linux kernel 5.13.
Off the top of my head, it's probably just a route authentication issue in MotionEye.
Could you just change line 545 in handlers.py to @BaseHandler.auth(admin=True) - it is currently @BaseHandler.auth()? That seems to fix the issue, in my very limited testing, but I'm not as familiar with the code as you are, so maybe that will break something else.
@pizza-power commented on GitHub (Feb 18, 2022):
I put in a simple pull request to change line 545 in handlers.py. Like I said, it will need some more testing. Thanks for the help!
@jmichault commented on GitHub (Mar 9, 2022):
change made in motioneye/handlers/config.py, commit
github.com/motioneye-project/motioneye@c60b64af5b@MichaIng commented on GitHub (Mar 15, 2022):
Reopening this since the patch needed to be reverted. The surveillance user must have access to the config currently.
Not sure whether it would be possible to split the functions to get a limited required config list for surveillance user and the full list only as admin.
Easier would be to apply a default password for both users. This is pretty common nowadays for web applications, not an issue when documented well, and we may even add a password input and optionally as CLI argument to the new
motioneye_initcommand. General CLI support has already been added to make it usable in unattended installers and CI/CD workflows. Widening it to be an interactive setup script (optionally called unattended via--script/-sor--batch/-boption e.g.) wouldn't be so difficult.