#5 Add Simple Cookie-based Authentication to yaws_ctl.erl

closed-fixed
nobody
None
5
2007-06-12
2006-07-05
Sergei Golovan
No

It seems to me that module yaws_ctl is insecure. Now
it's prefectly
possible for local user to find yaws_ctl socket
(usually there are
only a few sockets which listen on localhost) and send
the command to
yaws_ctl, for example stopping the server (DoS attack).
The patched Yaws uses simple cookie-based
authentication. Cookie is
stored in the same file as the port to connect. So, to
be able to
control Yaws the attacker must read the Yaws control file.

Discussion

  • Sergei Golovan
    Sergei Golovan
    2006-07-05

     
    Attachments
  • Claes Wikstrom
    Claes Wikstrom
    2007-06-12

    • status: open --> closed-fixed