On 07/24/2010 06:38 PM, Cyril Bonté wrote:
Judd, I don't know if you're already using your patch but be careful :
I've identified a security hole in the original patch. POST data are processed
even if the request is not for the statistics page.
This means that it's possible to disable servers (assuming the backend and
server names can be found by users) by sending POST requests on the services
urls.
I am new to the code and it is still confusing to me so I suspected I'd
make a mistake like this. All of our HAProxy servers are inside the
firewall and only a few people have access, so for me its okay, but not
for release and general consumption. Thanks for finding that.
I'll find some time this week to test your new patch.
Judd
