Send Motion-user mailing list submissions to
motion-user@lists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/motion-user
or, via email, send a message with subject or body 'help' to
motion-user-requ...@lists.sourceforge.net
You can reach the person managing the list at
motion-user-ow...@lists.sourceforge.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Motion-user digest..."
Today's Topics:
1. Re: motion security patch release 3.4.2 (Damian)
2. Re: motion security patch release 3.4.2 (tosiara)
3. Re: motion security patch release 3.4.2 (Mike Wilson)
----------------------------------------------------------------------
Message: 1
Date: Mon, 26 Oct 2020 11:42:04 +0100
From: Damian <motion-u...@arcsin.de>
To: motion-user@lists.sourceforge.net
Subject: Re: [Motion-user] motion security patch release 3.4.2
Message-ID: <0cf8b8c4-3d8c-3748-9533-06cf2e69d...@arcsin.de>
Content-Type: text/plain; charset=utf-8
> The default config restricts stream and webcontrol ports to localhost, so
> it is a partial mitigation that comes out of the box. In that case a remote
> attacker would need to use additional techniques to perform a request to
> localhost, but it is still possible (ex, CSRF). The only full mitigations
> are either patch to 3.4.2, or completely disable ports
What about setups with webcontrol@localhost behind a reverse proxy? Are
malicious requests exotic in nature so that they would be blocked by the
proxy or are they regular HTTP requests that motion just cannot handle?
------------------------------
Message: 2
Date: Mon, 26 Oct 2020 13:38:07 +0200
From: tosiara <tosi...@gmail.com>
To: Motion discussion list <motion-user@lists.sourceforge.net>
Subject: Re: [Motion-user] motion security patch release 3.4.2
Message-ID:
<cachtdwsjapgzy_fmgx7w9udrtk_qvn3hz-j_te8jaugi31x...@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Unfortunately, reverse proxy would not help too. Since reverse proxies
carry the entire URI with all the params, it will also pass the malicious
ones, and will trigger the bug.
Speaking about the maliciousness of the request, it is malformed in terms
of RFC, but browsers still handle it as is and I have never seen such urls
being rejected or causing crash.
On Mon, Oct 26, 2020 at 1:03 PM Damian via Motion-user <
motion-user@lists.sourceforge.net> wrote:
> > The default config restricts stream and webcontrol ports to localhost, so
> > it is a partial mitigation that comes out of the box. In that case a
> remote
> > attacker would need to use additional techniques to perform a request to
> > localhost, but it is still possible (ex, CSRF). The only full mitigations
> > are either patch to 3.4.2, or completely disable ports
>
> What about setups with webcontrol@localhost behind a reverse proxy? Are
> malicious requests exotic in nature so that they would be blocked by the
> proxy or are they regular HTTP requests that motion just cannot handle?
>
>
>
> _______________________________________________
> Motion-user mailing list
> Motion-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/motion-user
> https://motion-project.github.io/
>
> Unsubscribe: https://lists.sourceforge.net/lists/options/motion-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
Message: 3
Date: Mon, 26 Oct 2020 10:51:44 -0400
From: Mike Wilson <knobby2...@gmail.com>
To: Motion discussion list <motion-user@lists.sourceforge.net>
Subject: Re: [Motion-user] motion security patch release 3.4.2
Message-ID:
<CAAVeUCrg+NVaPRDx7p=kxbf0m8rswryagsg-o+hcupnfeiv...@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Thank you for sending out this notification.
On Mon, Oct 26, 2020 at 7:40 AM tosiara <tosi...@gmail.com> wrote:
> Unfortunately, reverse proxy would not help too. Since reverse proxies
> carry the entire URI with all the params, it will also pass the malicious
> ones, and will trigger the bug.
>
> Speaking about the maliciousness of the request, it is malformed in terms
> of RFC, but browsers still handle it as is and I have never seen such urls
> being rejected or causing crash.
>
>
> On Mon, Oct 26, 2020 at 1:03 PM Damian via Motion-user <
> motion-user@lists.sourceforge.net> wrote:
>
>> > The default config restricts stream and webcontrol ports to localhost,
>> so
>> > it is a partial mitigation that comes out of the box. In that case a
>> remote
>> > attacker would need to use additional techniques to perform a request to
>> > localhost, but it is still possible (ex, CSRF). The only full
>> mitigations
>> > are either patch to 3.4.2, or completely disable ports
>>
>> What about setups with webcontrol@localhost behind a reverse proxy? Are
>> malicious requests exotic in nature so that they would be blocked by the
>> proxy or are they regular HTTP requests that motion just cannot handle?
>>
>>
>>
>> _______________________________________________
>> Motion-user mailing list
>> Motion-user@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/motion-user
>> https://motion-project.github.io/
>>
>> Unsubscribe: https://lists.sourceforge.net/lists/options/motion-user
>>
> _______________________________________________
> Motion-user mailing list
> Motion-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/motion-user
> https://motion-project.github.io/
>
> Unsubscribe: https://lists.sourceforge.net/lists/options/motion-user
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
------------------------------
Subject: Digest Footer
_______________________________________________
Motion-user mailing list
Motion-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/motion-user
------------------------------
End of Motion-user Digest, Vol 172, Issue 18
********************************************
