fibasile
commented
8 years ago This is true, I think limiting access to a specific set of commands (in the same folder as mod_server) would be enough.
Open jonnor opened 8 years ago
fibasile
commented
8 years ago This is true, I think limiting access to a specific set of commands (in the same folder as mod_server) would be enough.
The server will happily execute arbitrary commands sent by the client. Just type in
rm -rf fooand it will be ran.There is some 'mitigration' in that the Websocket server will only accept connections from the same IP address. However, it is impossible to safely expose fabmodules over a network, which is one of the major benefits of a web-based system.
Proposed is to only execute a known subset of commands (enforced by server), not arbitrary stuff.