On Fri, Oct 24, 2008 at 11:51 PM, RB <[EMAIL PROTECTED]> wrote: > > You beat me to the translation... Looking at their live demo (yes, > they have one running in a VM)
Which is going to be rooted in short order if they don't lock it down significantly more. They attempted to do so, but didn't do nearly enough. In seconds, Scott and I found a way to do anything we want as root on this demo. We didn't do anything to it other than poke around, and I won't disclose what the specific first issue found was. There are more possibilities even with this specific hole closed. Note unless you seriously modify the pfSense code, and run it in a different environment (starting with a web server running as something other than root - whoami proves they're running that web server as root) it's not safe to give random people on the Internet access to the admin interface. 1.2 assumes an authenticated user has root privileges in many areas, just because anyone who can log in can do anything to the system. It's not intended nor designed for a scenario where you're handing out your root password to the entire world. 1.3 is different because you can have multiple user accounts with differing access levels. It would take a vast amount of effort to make something like this available in a safe manner with 1.2, which is why we haven't done so. If anyone else is considering it - it's not a good idea. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
