Unsafe default configuration poses security risk
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ziproxy (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
The default configuration for this package is to:
1) Listen on all network interfaces instead of localhost
2) Performs no logging at all
To deal with #1, I propose that the "Address" and "OnlyFrom" directives in the ziproxy.conf file be uncommented by default so that the service is not exposed to the internet at large unless the user actively takes steps to configure it to do so.
For #2, I propose uncommenting the "AccessLog" directive by default in the ziproxy.conf file.
Those two changes would bring this package more inline with the sane defaults that the squid3 package provides.
The reason I'm filing this bug report is that I recently had a VM that was being used as an open relay to attack other hosts because of the default configuration of this package. While I accept responsibility for not carefully vetting all installed packages on the VM, I am surprised that a proxy server would listen on interfaces other than localhost without explicit configuration to do so.
information type: | Public → Public Security |
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https:/ /wiki.ubuntu. com/SecurityTea m/UpdateProcedu res