LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: Simple script to Monitor LVS via Web

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: Simple script to Monitor LVS via Web
From: Jeremy Kerr <jk@xxxxxxxxxx>
Date: Wed, 12 Oct 2005 23:53:58 +1000
Luca,

> <? $cmd="sudo /sbin/ipvsadm -L ". $dns_flag; passthru($cmd); ?>

Whoa.

If you use this script with register_globals set (and assuming you've
set it up so that the sudo works), you've got a remote *root*
vunerability right there.

eg: http://example.com/script.php?resolve_dns=1&dnsflag=;rm+-rf+/

you may want to ensure your variables are clean beforehand, and avoid
the sudo completely (maybe use a helper process?)


Jeremy


<Prev in Thread] Current Thread [Next in Thread>