From: <kl...@ta...> - 2006-07-06 08:38:41
|
Sergei Golovan wrote: > Hi! > > I would like to submit two little patches to Yaws (BTW, it's an > excellent piese of software!) > > 1) Yaws 1.63 doesn't work with PHP version 4.3.2 or later (see > http://bugs.php.net/bug.php?id=28227). These versions of PHP look at > SCRIPT_FILENAME environment variable to find the filename. > The patch simply defines this variable. > > 2) It seems to me that module yaws_ctl is insecure. Now it's prefectly > possible for local user to find yaws_ctl socket (usually there are > only a few sockets which listen on localhost) and send the command to > yaws_ctl, for example stopping the server (DoS attack). > The patched Yaws uses simple cookie-based authentication. Cookie is > stored in the same file as the port to connect. So, to be able to > control Yaws the attacker must read the Yaws control file. > > Both patches are attached (in a single file). Very nice patches - thanks. /klacke -- Claes Wikstrom -- Caps lock is nowhere and http://www.tail-f.com -- everything is under control cellphone: +46 70 2097763 |