On 03/26/2011 02:00 PM, Thomas Goirand wrote:
> I explained it already. The only thing that is supposed to connect to
> the SOAP server of DTC-Xen is the DTC panel. DTC-Xen hasn't been

I don't understand what do you mean. If I understood this bugs
correctly, there is a SOAP server that accepts incoming connections from
authorized users.



> designed for anything else. This is also why there is a dtc-xen-firewall
> that filters connection to the IP of the DTC panel,

At least in sid dtc-xen-firewall is only a recommended package.

> and why DTC-Xen SOAP
> server is using an auth over SSL.

Yes, so this is "only" an authenticated remote execution.


> Under these conditions, there's no way something/someone malicious can
> connect to DTC-Xen and do the kind of exploit described in this bug.
> If someone wants to change the behavior of DTC-Xen and allow connections
> and control from VPS *users*, then I would accept the patch. But that's
> currently not the design (yet).

Please explain, Is there a mechanism that denies connections from VPS users?


Cheers,
Giuseppe.

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to