On 03/26/2011 02:00 PM, Thomas Goirand wrote: > I explained it already. The only thing that is supposed to connect to > the SOAP server of DTC-Xen is the DTC panel. DTC-Xen hasn't been
I don't understand what do you mean. If I understood this bugs correctly, there is a SOAP server that accepts incoming connections from authorized users. > designed for anything else. This is also why there is a dtc-xen-firewall > that filters connection to the IP of the DTC panel, At least in sid dtc-xen-firewall is only a recommended package. > and why DTC-Xen SOAP > server is using an auth over SSL. Yes, so this is "only" an authenticated remote execution. > Under these conditions, there's no way something/someone malicious can > connect to DTC-Xen and do the kind of exploit described in this bug. > If someone wants to change the behavior of DTC-Xen and allow connections > and control from VPS *users*, then I would accept the patch. But that's > currently not the design (yet). Please explain, Is there a mechanism that denies connections from VPS users? Cheers, Giuseppe.
signature.asc
Description: OpenPGP digital signature