On Wed 12 Oct 2005 15:51:43 BST , Malcolm Turnbull
<malcolm@xxxxxxxxxxxxxxxx> wrote:
That's why PHP no longer has register globals defaulted!
And also why you lock down your admin ip address by source ip.
My code has this vulnerability, but I'm not sure a helper app would
be any more secure (sudo is a helper app.)
...as all the relevant values are produced in
/proc/net/ip_vs[_app,_conn,_stats] then why not just write something to
process those values instead? They're globally readable and don't need
any helper apps to view them at all.
Yes, you'd be re-inventing a small part of ipvsadm's functionality. The
security improvements alone are worth it; the fact that the overhead of
running sudo & then ipvsadm is removed by just doing an open() on a
/proc file might be worth it in situations where you may have many
users running your web app.
Sure, you need to decode the hex values to make them "nice". Unless you
have the sort of users who read hex encoding all the time :)
Graeme
|