Re: Documentation server security issues
On Mon, 7 Jul 1997, Riku Saikkonen wrote:
> Bernd Eckenfels wrote:
> >On Jul 7, Riku Saikkonen wrote
> >> An HTTP server listening on any TCP port is not secure, even
> >> if you configure it to only allow accesses from the local host.
> >You can bind on 127.0.0.1, which is then fairly secure.
>
> Sorry, but it doesn't help much (as I said later on in the same message).
> If there's a security hole in the HTTP server, it is trivial to create a
> WWW page that, when accessed (with almost any browser), will have the
> browser create a connection to localhost and exploit the security hole.
> The connection comes from the browser, and thus from 127.0.0.1, so binding
> there doesn't help.
Sorry, but if you have local access to the machine, enough to be running a
web browser then any small security holes in a nobody:nogroup webserver
will be even more exploitable by the local user sitting at the console.
Ie, what harm can you do by hacking through a tiny webserver that you
can't do sitting at the console?
Jason
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org .
Trouble? e-mail to templin@bucknell.edu .
Reply to: