[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Documentation server security issues

Bernd Eckenfels wrote:
>On Jul 7, Riku Saikkonen wrote
>>   An HTTP server listening on any TCP port is not secure, even
>>   if you configure it to only allow accesses from the local host.
>You can bind on, which is then fairly secure.

Sorry, but it doesn't help much (as I said later on in the same message).
If there's a security hole in the HTTP server, it is trivial to create a
WWW page that, when accessed (with almost any browser), will have the
browser create a connection to localhost and exploit the security hole.
The connection comes from the browser, and thus from, so binding
there doesn't help.

(the triviality is to include include in the malicious WWW page an
<IMG SRC="http://localhost/security-exploit-here";>
(and/or an <A HREF> with the same URL and text such as "click here for more
information" for browsers that don't autoload images) in the WWW page; or
include an innocent-looking URL that leads to a redirect to the bad URL,
if you want to do some more hiding)

-=- Rjs -=- rjs@spider.compart.fi, rjs@lloke.dna.fi

TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to: