-
Notifications
You must be signed in to change notification settings - Fork 548
Privacy
tosiara edited this page Mar 26, 2018
·
10 revisions
When developers ask you to provide config files, logs or a core dump, please be sure to remove all sensitive private info from the uploaded files.
Potential issues are:
- Camera username and password stored in config: all them are in plain text
- netcam_url http://camera/stream?user=admin&password=admin
- netcam_url http://admin:admin@camera/stream
- netcam_userpass admin:admin
- stream_authentication admin:admin
- webcontrol_authentication admin:admin
- database_password admin
- Public IP address or domain name as part of netcam url: may be attacked, unauthorized access
- netcam_url http://camera.publicdomain.com/stream
- Log containing netcam url: it may leak credentials as part of url or base64 encoded
- Network Camera thread starting... for url (http://camera/stream?user=admin&password=admin)
- Authorization: Basic YWRtaW46YWRtaW4=
- Other private info may appear in log: server headers, user path, script parameters, etc
To verify, grep files before uploading:
grep -i "netcam_url\|netcam_userpass\|stream_authentication\|webcontrol_authentication\|database_password\|Network Camera\|Authorization: Basic\|http://\|https://\|ftp://\|password\|target_dir\|on_picture_save\|on_movie_end" motion.log motion.conf
Please replace all sensitive strings with ***removed***
- In case of a leaked password - change it as soon as possible
- If you reuse the same password across different accounts - change them too