Package: ejabberd
Version: 1.1.2-6
Severity: normal
By default, ejabberd provides a service accepting public user
registration. Any user on the Internet can potentially connect to the
ejabberd process and register an account for themself. This is a
security issue.
Minimal solution:
- disable the registration service by default
- put instructions in README.Debian for enabling it
Better solution:
- use debconf to allow the installer to choose whether they want public
user registration (default=no)
Modifying /etc/ejabberd/ejabberd.cfg to be like the example below, and
restarting the process, will rectify the issue:
% Every username can be registered via in-band registration:
%{access, register, [{allow, all}]}.
% None username can be registered via in-band registration:
{access, register, [{deny, all}]}.
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.4.26
Locale: LANG=C, LC_CTYPE=C (charmap=ISO-8859-1) (ignored: LC_ALL set to en_US)
Versions of packages ejabberd depends on:
ii adduser 3.102 Add and remove users and groups
ii debconf [debconf-2.0] 1.5.11 Debian configuration management sy
ii erlang-base 1:11.b.2-4 Concurrent, real-time, distributed
ii erlang-nox 1:11.b.2-4 Concurrent, real-time, distributed
ii libc6 2.3.6.ds1-13etch2 GNU C Library: Shared libraries
ii libexpat1 1.95.8-3.4 XML parsing C library - runtime li
ii libssl0.9.8 0.9.8c-4etch1 SSL shared libraries
ii openssl 0.9.8c-4etch1 Secure Socket Layer (SSL) binary a
ii ucf 2.0020 Update Configuration File: preserv
ii zlib1g 1:1.2.3-13 compression library - runtime
ejabberd recommends no packages.
-- debconf information excluded
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]