lightwalletd icon indicating copy to clipboard operation
lightwalletd copied to clipboard

Published 20 hours ago verified publisher icon zcash

Internal-Security-Finding #6: Unprivileged users on the same system can submit incorrect blocks

Open defuse opened this issue 5 years ago • 1 comments

The ZMQ interface isn't authenticated, other than the fact that it listens on 127.0.0.1. Users should be clearly warned that all users on the system can submit blocks into the database (important if they're used to relying on Linux users to isolate applications).

defuse avatar Apr 30 '19 20:04 defuse

We removed zmq for lightwalletd. We replaced it with rpc (user and password) so we should be ok with this for now.

Once we put in the patch for this on master, we can close this ticket.

lindanlee avatar Jul 10 '19 19:07 lindanlee