Re: Documentation server security issues
Buddha Buck wrote:
>> > >On Jul 7, Riku Saikkonen wrote
>> > >> An HTTP server listening on any TCP port is not secure, even
>> > >> if you configure it to only allow accesses from the local host.
>I think I understand what Riku is saying... Lets see if I can explain
...
>attractive. One of which is a link to "http://localhost/carefully-chose
>n-data". Of course, it's labeled "COPS" or "Kuang Ice Breaker" (an
...
>The next thing that happens is that -I- contact the vulnerable web
>server, from within any fire walls, bound sockets, etc, that might
>prevent the black hats from breaking in, sending -his- chosen sequence.
Yes, this is exactly what I was talking about. Thanks for the nice
explanation. :)
Anyway, if, as Christian said, the documentation server is optional, then
I'm content. I'll still help minimise the danger by checking the code if
someone decides to write a tiny server.
(I think I found a buffer overflow problem in the short server code someone
posted to debian-devel a few days ago (something to do with strcat()ing to
fn, I think it was), but didn't look at it more carefully because I thought
that it was alpha code anyway. If whoever wrote it is listening and wants me
to check the code, mail it to me. :)) (I really should save interesting
mailing list messages more often...)
--
-=- Rjs -=- rjs@spider.compart.fi, rjs@lloke.dna.fi
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org .
Trouble? e-mail to templin@bucknell.edu .
Reply to: