Jeremy, this is a good point. I wrote it as a quick and dirty hack
without security in mind. It is used on the internal net from trusted
users who indeed have root access to the servers ;-)
However, sudo is configured to run only /sbin/ipvsadm from www-data
user, so I think that /bin/rm could not be executed.
Cheers,
Luca
PS: may be we are going OT, pls reply to me directly
On 12/10/05, Jeremy Kerr <jk@xxxxxxxxxx> wrote:
> > eg: http://example.com/script.php?resolve_dns=1&dnsflag=;rm+-rf+/
>
> Sorry, that should have been:
>
> http://example.com/script.php?resolve_dns=1&dns_flag=;sudo+rm+-rf+/
>
> which will do the `rm -rf /` as root.
>
>
> Jeremy
>
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users
>
|