Project

General

Profile

Bug #370

spawn-fcgi binds fcgis to *:port, which can be a security risk

Added by Anonymous over 14 years ago. Updated about 12 years ago.

Status:
Fixed
Priority:
Normal
Category:
mod_fastcgi
Target version:
ASK QUESTIONS IN Forums:

Description

Hey weigon,

See: http://dev.rubyonrails.org/ticket/2874

I found that spawn-fcgi (used with the rails spawner) binds fcgis to 0.0.0.0:port which can be a security risk. I think by default they should be bound to the loopback interface: 127.0.0.1:port and if they are to bind to the external interface, an IP or some "all external IPs" wildcard should be allowed.

best,

_alex

-- root

#1

Updated by Anonymous over 14 years ago

I'd like to second this request. It would be great to have an option to spawn-fcgi that specified the IP it listened on. Would make sense to default to localhost, but for backwards compatability it would be fine to keep default as 0.0.0.0.

The key is that you be able to specify where it binds.

Probably unlikely that it would happen, but someone could point their lighttpd at remote ports, guessing that they might be waiting fcgi's, and occasionally be right.

-- mjankowski

#2

Updated by Anonymous about 14 years ago

Starting from 1.4.11 sqawn-fcgi has the -a option allowing you the select a specific IP address.

-- zsombor

#3

Updated by stbuehler about 12 years ago

  • Status changed from New to Fixed
  • Resolution set to fixed

Also available in: Atom