Ticket #370 (new enhancement)

Opened 3 years ago

Last modified 8 months ago

spawn-fcgi binds fcgis to *:port, which can be a security risk

Reported by: root@turingstudio.com Assigned to: jan
Priority: high Milestone: 1.5.0
Component: mod_speed Version: 1.4.17
Severity: major Keywords:
Cc: kalli007@hotmail.fr Blocking:
Need Feedback: 0

Description

Hey weigon,

See: http://dev.rubyonrails.org/ticket/2874

I found that spawn-fcgi (used with the rails spawner) binds fcgis to 0.0.0.0:port which can be a security risk. I think by default they should be bound to the loopback interface: 127.0.0.1:port and if they are to bind to the external interface, an IP or some "all external IPs" wildcard should be allowed.

best,

_alex

Attachments

Change History

12/15/2005 05:31:17 AM changed by mjankowski@unicorngroomers.com

I'd like to second this request. It would be great to have an option to spawn-fcgi that specified the IP it listened on. Would make sense to default to localhost, but for backwards compatability it would be fine to keep default as 0.0.0.0.

The key is that you be able to specify where it binds.

Probably unlikely that it would happen, but someone could point their lighttpd at remote ports, guessing that they might be waiting fcgi's, and occasionally be right.

05/19/2006 10:12:01 AM changed by zsombor@primalgrasp.com

Starting from 1.4.11 sqawn-fcgi has the -a option allowing you the select a specific IP address.

09/09/2007 10:09:03 AM changed by anonymous

  • severity changed from normal to major.
  • cc changed from rtomayko@gmail.com to kalli007@hotmail.fr.
  • component changed from mod_fastcgi to mod_speed.
  • priority changed from normal to high.
  • version changed from 1.4.5 to 1.4.17.
  • milestone set to 1.5.0.
  • type changed from defect to enhancement.
  • blocking changed.
  • pending changed.

Add/Change #370 (spawn-fcgi binds fcgis to *:port, which can be a security risk)




Change Properties