Project

General

Profile

Actions

Bug #370

closed

spawn-fcgi binds fcgis to *:port, which can be a security risk

Added by Anonymous about 16 years ago. Updated over 13 years ago.

Status:
Fixed
Priority:
Normal
Category:
mod_fastcgi
Target version:
ASK QUESTIONS IN Forums:

Description

Hey weigon,

See: http://dev.rubyonrails.org/ticket/2874

I found that spawn-fcgi (used with the rails spawner) binds fcgis to 0.0.0.0:port which can be a security risk. I think by default they should be bound to the loopback interface: 127.0.0.1:port and if they are to bind to the external interface, an IP or some "all external IPs" wildcard should be allowed.

best,

_alex

-- root

Actions #1

Updated by Anonymous almost 16 years ago

I'd like to second this request. It would be great to have an option to spawn-fcgi that specified the IP it listened on. Would make sense to default to localhost, but for backwards compatability it would be fine to keep default as 0.0.0.0.

The key is that you be able to specify where it binds.

Probably unlikely that it would happen, but someone could point their lighttpd at remote ports, guessing that they might be waiting fcgi's, and occasionally be right.

-- mjankowski

Actions #2

Updated by Anonymous over 15 years ago

Starting from 1.4.11 sqawn-fcgi has the -a option allowing you the select a specific IP address.

-- zsombor

Actions #3

Updated by stbuehler over 13 years ago

  • Status changed from New to Fixed
  • Resolution set to fixed
Actions

Also available in: Atom