[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Documentation server security issues

On Mon, 7 Jul 1997, Riku Saikkonen wrote:

> Bernd Eckenfels wrote:
> >On Jul 7, Riku Saikkonen wrote
> >>   An HTTP server listening on any TCP port is not secure, even
> >>   if you configure it to only allow accesses from the local host.
> >You can bind on, which is then fairly secure.
> Sorry, but it doesn't help much (as I said later on in the same message).
> If there's a security hole in the HTTP server, it is trivial to create a
> WWW page that, when accessed (with almost any browser), will have the
> browser create a connection to localhost and exploit the security hole.
> The connection comes from the browser, and thus from, so binding
> there doesn't help.

Sorry, but if you have local access to the machine, enough to be running a
web browser then any small security holes in a nobody:nogroup webserver
will be even more exploitable by the local user sitting at the console.

Ie, what harm can you do by hacking through a tiny webserver that you
can't do sitting at the console? 


TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to: