lvs-users
|
To: | "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx> |
---|---|
Subject: | Re: Simple script to Monitor LVS via Web |
From: | Jeremy Kerr <jk@xxxxxxxxxx> |
Date: | Wed, 12 Oct 2005 23:53:58 +1000 |
Luca, > <? $cmd="sudo /sbin/ipvsadm -L ". $dns_flag; passthru($cmd); ?> Whoa. If you use this script with register_globals set (and assuming you've set it up so that the sudo works), you've got a remote *root* vunerability right there. eg: http://example.com/script.php?resolve_dns=1&dnsflag=;rm+-rf+/ you may want to ensure your variables are clean beforehand, and avoid the sudo completely (maybe use a helper process?) Jeremy |
<Prev in Thread] | Current Thread | [Next in Thread> |
---|---|---|
|
Previous by Date: | Re: Simple script to Monitor LVS via Web, Luca Maranzano |
---|---|
Next by Date: | Re: ipvs_syncmaster brings cpu to 100%, Con Tassios |
Previous by Thread: | Re: Simple script to Monitor LVS via Web, Luca Maranzano |
Next by Thread: | Re: Simple script to Monitor LVS via Web, Jeremy Kerr |
Indexes: | [Date] [Thread] [Top] [All Lists] |