Hi Alyssa, well, I do think there is a serious difference between:
* can play with the project parameters and mess them up and * can take over the whole machine in a snap And: yes, I do know, there is htaccess, but, well do you use ssh or telnet for your server administration tasks :) ? And more importantly: if that is the idea, the whole project has about security, it should be clearly stated in the documentation that by making the ops pages accessible, you do give shell access to the machine to anyone knowing the htaccess passwords... Or to anyone using your machine, when you forgot to close all your browser windows, since htaccess credentials are saved internally in your web browser until restart. I also haven't read anything about setting up SSL, if that *really* should be the idea... Never mind that not caring about input parameter validation is clearly *bad* design in the first place. Cheers, Peter Am Sonntag, den 28.04.2013, 11:39 +0200 schrieb Alyssa Milburn: > > There is this very promising "Additional clauses" parameter which will > > happily add anything to the search sql query I like. > > > > Needless to say, that I can send arbitrary sql commands to the server > > either using subselects or some other escape trickery. > > I think the general idea is that you're not meant to give access to the > operators panel to anyone who you wouldn't give mysql/shell access to, > so it's relatively harmless to add often-helpful functionality like this > to the UI. > > You can do various project-damaging things by design anyway, which is why > the default configuration mandates you have an .htaccess file there and why > there's the option for an auth_ops function on top. > > (I've just been ignoring the ops scripts completely for this reason, there > are indeed more issues in there if you give untrusted people access to it.) > > - Alyssa -- Pohl's law: Nothing is so good that somebody, somewhere, will not hate it. _______________________________________________ boinc_dev mailing list [email protected] http://lists.ssl.berkeley.edu/mailman/listinfo/boinc_dev To unsubscribe, visit the above URL and (near bottom of page) enter your email address.
