Domů Procházet Nápověda
Registrovat se Přihlásit se
third
/
freeswitch
2
0
Rozštěpit 0
Soubory
Strom: 132cdbdc45
Větve Značky
freeswitch
/
libs
/
xmlrpc-c
/
doc
/
SECURITY

SECURITY 2.1 KB
Historie Surový

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950 
  1. Security Advisories
    2. 

  2. ===================
    3. 

  3. 

  4. The Xmlrpc-c maintainer will normally post security advisories related
    5. 

  5. to xmlrpc-c to the xmlrpc-c-announce mailing list.  You can subscribe
    6. 

  6. to this using the web:
    7. 

  7. 

  8.   http://xmlrpc-c.sourceforge.net/lists.php
    9. 

  9. 

  10. You will also find a list of all known bugs including those with
    11. 

  11. security ramifications, in the release notes on Sourceforge.  To see
    12. 

  12. the release notes for a release, go to the file download page and
    13. 

  13. click on the release name.  The list is current only for the most
    14. 

  14. current release -- i.e. we stop adding to the list for release N after
    15. 

  15. we release N+1.
    16. 

  16. 

  17. 

  18. XML-RPC Security
    19. 

  19. ================
    20. 

  20. 

  21. There are some security issues inherent in XML-RPC:
    22. 

  22. 

  23.   1) XML-RPC messages are not encrypted at the XML-RPC level.  This
    24. 

  24.      means that unless you encrypt them at some lower level, someone
    25. 

  25.      with sufficient access to the network can see them with standard
    26. 

  26.      packet-sniffing and network administration tools.
    27. 

  27. 

  28.      This is especially dangerous because XML-RPC is a stateless protocol.
    29. 

  29.      If you include reusable authentication tokens in an XML-RPC call, they
    30. 

  30.      can probably be sniffed and used by attackers.
    31. 

  31. 

  32.      You can solve this problem by using SSL under HTTP.  This is possible
    33. 

  33.      with Xmlrpc-c, but it's nontrivial to set up and the Xmlrpc-c
    34. 

  34.      documentation doesn't tell you how.
    35. 

  35. 

  36.   2) There are no permission restrictions and no authentication built
    37. 

  37.      into Xmlrpc-c by default -- any client can call any method on any
    38. 

  38.      visible server and neither can know for sure to whom it is talking.
    39. 

  39. 

  40.      If you need permission and authentication, you either have to put
    41. 

  41.      it above the XML-RPC layer or below.  For a server, above means in
    42. 

  42.      the method code you supply and register with the Xmlrpc-c server
    43. 

  43.      facilities; below means something like a firewall that lets clients
    44. 

  44.      only from a certain IP address connect to your server.
    45. 

  45. 

  46.   3) XML-RPC is a complex protocol based on complex data structures.
    47. 

  47.      Layers and layers of potentially buggy code gets run between the
    48. 

  48.      time network data is received, and the time it is understood; and
    49. 

  49.      conversely between the time data is conceived and the time it
    50. 

  50.      gets sent.
    51.