 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
Dan Barrett <nullpointer at pobox.com> writes:
> On Tuesday 24 February 2004 14:02, Derek Atkins wrote:
>> Why are you even trying to use 'pserver' for write operations? That's
>> a security hole waiting to bit you in the rear.
>
> Even when it's bound to the loopback device on an iptable'd box with NO open
> ports, sitting behind a separate firewall which also permits no inbound
> connection attempts? I'm not overly worried.
You should be. There have been numerous security flaws in the
pserver implementation allowing users to gain shell access
(and from there ROOT access). Firewalls do you no good if an
attacker can still connect to a broken service.
And besides, what's the point of using pserver on a loopback device?
Just 'cvs -d /path/to/cvsroot' and be done with it.
-derek
--
Derek Atkins 617-623-3745
derek at ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
