Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#152 Error in documentation leading to possible security issue.

PeerGuardian_Linux
closed
NULLContext
Driver (56)
5
2012-11-11
2005-07-28
Mentaloid
No

The documentation refers to the http server running on
127.0.0.1:5555 only, however doing a netstat -anp will
show this..
"tcp 0 0 0.0.0.0:5555 0.0.0.0:* LISTEN -"

This shows that there is a listen for tcp 5555 on ALL
interface, and will accept any source.

I believe the error in code is in HttpServer.cpp line186

"server.sin_addr.s_addr = INADDR_ANY;"

I believe it should read

"server.sin_addr.s_addr = inet_addr('127.0.0.1');"

I also verified there was no other code for source IP
checking - there isn't as verified by 192.168.0.0/24
and 10.0.0.0/23 ips and as well as misc internet ips.

This should be fixed on the listening line to prevent
possible overflow problems with refusing connections
past the listening state. An alternative would be to
make the listen address selectable by the user.
Personally I would preffer this approach as I am using
peerguardian on my linux transparent brouter/firewall.

Also on a related front, it should be possible to have
pg interface to the FORWARD chain as with out this is
will not filter routed packets.. which in the case of a
router with would be desired. I've already accomplished
this via my own hack to the source code.

Discussion

  • jre-phoenix
    jre-phoenix
    2010-04-07

    In an effort to make this tracker usable again, this report is closed.

    If this report relates to the PeerGuardian Windows application, you
    may try PeerBlock instead: http://www.peerblock.com.

    If this report relates to an IP that is blocked or not blocked: The
    blocklists are maintained by http://www.bluetack.co.uk and
    http://tbg.iblocklist.com.

    If this report is about failed blocklist downloads. Check out
    http://iblocklist.com, this site offers reliable downloads of all
    blocklists.