Comment 14 for bug 608701
Revision history for this message
| Dom Latter (bugs-launchpad-net) wrote | #14 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
35a32c5
(Get the code!)
I see it got unmarked as a security bug. If I may try to re-explain why I think it *is* a bug. Firstly, many VNC users set very weak passwords (e.g. 'password') because they are using it internally behind a firewall, and anyone with physical access to one machine has physical access to the other (or is a trusted family member, etc.).
Secondly, the phrasing "configure network automatically to accept connections" is *so* poor that a user could very easily take it to mean "configure this machine's network interface to accept connections automatically", i.e. a desired behaviour.
Taken together, this could easily lead to users exposing a VNS interface with a weak password to the world, making them vulnerable to brute-force IP scanning attacks.