python · motioneyeHeads-up
motionEye: Admin password hash exposed via world-readable config file
motionEye v0.43.1 and prior create /etc/motioneye/motion.conf with 644 permissions, exposing the admin password hash to local users. Fixed in v0.44.0b1 by apply
What changed
motionEye v0.43.1 and prior create /etc/motioneye/motion.conf with 644 permissions, exposing the admin password hash to local users. Fixed in v0.44.0b1 by applying 0600 mode.
Who it affects
All motionEye installations with versions <= 0.43.1b4, where local unprivileged users exist.
What to do today
Upgrade to motionEye 0.44.0b1 or later, or manually set permissions to 600 on /etc/motioneye/motion.conf and camera-*.conf files.
The trail
Collected→
Audited→
Written→
Published