Impact
There is an issue in how motion parses web URI request. Motion process will crash and require a manual restart if a malicious http request is received by either stream web endpoint or webcontrol. The issues happens prior to authentication.
In versions prior to 4.2 only webcontrol is affected and authentication cannot be bypassed.
In versions 4.2-4.3.1 both webcontrol and stream are affected.
Patches
The issue has been patched in 4.3.2 and deb packages are available in Github releases.
Workarounds
Disable both stream and webcontrol by setting port to 0 in motion.conf.
d0td0tslash Analyst
Impact
There is an issue in how motion parses web URI request. Motion process will crash and require a manual restart if a malicious http request is received by either stream web endpoint or webcontrol. The issues happens prior to authentication.
In versions prior to 4.2 only webcontrol is affected and authentication cannot be bypassed.
In versions 4.2-4.3.1 both webcontrol and stream are affected.
Patches
The issue has been patched in 4.3.2 and deb packages are available in Github releases.
Workarounds
Disable both stream and webcontrol by setting port to
0in motion.conf.