#5 Add Simple Cookie-based Authentication to yaws_ctl.erl

closed-fixed
nobody
None
5
2007-06-12
2006-07-05
No

It seems to me that module yaws_ctl is insecure. Now
it's prefectly
possible for local user to find yaws_ctl socket
(usually there are
only a few sockets which listen on localhost) and send
the command to
yaws_ctl, for example stopping the server (DoS attack).
The patched Yaws uses simple cookie-based
authentication. Cookie is
stored in the same file as the port to connect. So, to
be able to
control Yaws the attacker must read the Yaws control file.

Discussion

  • Sergei Golovan

    Sergei Golovan - 2006-07-05
     
  • Claes Wikstrom

    Claes Wikstrom - 2007-06-12
    • status: open --> closed-fixed
     

Log in to post a comment.