Unsafe default configuration poses security risk

Bug #1250952 reported by Shelby Cain on 2013-11-13
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ziproxy (Ubuntu)

Bug Description

The default configuration for this package is to:
1) Listen on all network interfaces instead of localhost
2) Performs no logging at all

To deal with #1, I propose that the "Address" and "OnlyFrom" directives in the ziproxy.conf file be uncommented by default so that the service is not exposed to the internet at large unless the user actively takes steps to configure it to do so.

For #2, I propose uncommenting the "AccessLog" directive by default in the ziproxy.conf file.

Those two changes would bring this package more inline with the sane defaults that the squid3 package provides.

The reason I'm filing this bug report is that I recently had a VM that was being used as an open relay to attack other hosts because of the default configuration of this package. While I accept responsibility for not carefully vetting all installed packages on the VM, I am surprised that a proxy server would listen on interfaces other than localhost without explicit configuration to do so.

Quinn Balazs (qbalazs) on 2013-11-13
information type: Public → Public Security
Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in ziproxy (Ubuntu):
status: New → Incomplete
Launchpad Janitor (janitor) wrote :

[Expired for ziproxy (Ubuntu) because there has been no activity for 60 days.]

Changed in ziproxy (Ubuntu):
status: Incomplete → Expired
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ziproxy - 3.3.1-2

ziproxy (3.3.1-2) unstable; urgency=medium

  * Upload to unstable.

 -- Marcos Talau <email address hidden> Tue, 29 Dec 2015 13:20:31 -0200

Changed in ziproxy (Ubuntu):
status: Expired → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers