mailing list archives
Medium security hole in Varnish reverse proxy
From: Tim Brown <timb () nth-dimension org uk>
Date: Mon, 29 Mar 2010 08:49:55 +0100
I've identified a couple of security flaws affecting the Varnish reverse proxy
which may allow privilege escalation. These issues were reported by email to
the vendor but he feels that it is a configurational issue rather than a design
flaw. Whilst I can partially see his point in that the administrative
interface can be disabled, I'm not convinced that making a C compiler
available over a network interface without authentication is sound practice,
especially when the resultant compiled code can be made to run as root rather
<mailto:timb () nth-dimension org uk>
Description: This is a digitally signed message part.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Medium security hole in Varnish reverse proxy Tim Brown (Mar 29)