[Mono-dev] Potential security problem on EndPointManager.cs
2 views
Skip to first unread message
정연운(Jung, Yeonwoon)
Mar 24, 2012, 9:38:43 AM3/24/12
to mono-de...@lists.ximian.com, gon...@ximian.com
Hi,
While i was working on my project, i found a problem that HttpChannel class doesn't take IP from 'bindTo' property well. HttpChannel internally uses HttpListener. so i wrote simple test application like below:
While i was working on my project, i found a problem that HttpChannel class doesn't take IP from 'bindTo' property well. HttpChannel internally uses HttpListener. so i wrote simple test application like below:
static void Main(string[] args)
{
HttpListener listener = new HttpListener();
listener.Prefixes.Add(String.Format("http://127.0.0.1:9999/");
listener.Start();
Console.WriteLine("Press return to quit...");
Console.ReadLine();
listener.Stop();
}
I expect it opens 9999 port with specified IP binding, 127.0.0.1. but netstat -anp | grep :9999 show the following result:
root@test-vm:~/mono-2.10.8.1# netstat -anp | grep :9999
tcp 0 0 0.0.0.0:9999 0.0.0.0:* LISTEN 15300/mono
Of course, MS .NET runtime lib works as expected:
C:\Users\yeonwoon>netstat -an | findstr :9999
TCP 127.0.0.1:9999 0.0.0.0:0 LISTENING
As you might know, this could be a potential vulnerability in term of network security. If someone opens port on their machine with multiple network interfaces combined with public/private IPs, even the person restricted biding for private network on purpose, mono runtime doesn't bind IP address as expected. As a result, the port is available on public network as well.
i already sent a request of pulling on github, pls review and take it.
--
Yeonwoon
Gonzalo Paniagua Javier
Mar 24, 2012, 12:14:15 PM3/24/12
to 정연운(Jung, Yeonwoon), gon...@ximian.com, mono-de...@lists.ximian.com
On Sat, Mar 24, 2012 at 9:38 AM, 정연운(Jung, Yeonwoon) <flo...@gmail.com> wrote:
[...]
>
> As you might know, this could be a potential vulnerability in term of
> network security. If someone opens port on their machine with multiple
> network interfaces combined with public/private IPs, even the person
> restricted biding for private network on purpose, mono runtime doesn't bind
> IP address as expected. As a result, the port is available on public network
> as well.
>
> i already sent a request of pulling on github, pls review and take it.
[...]
>
> As you might know, this could be a potential vulnerability in term of
> network security. If someone opens port on their machine with multiple
> network interfaces combined with public/private IPs, even the person
> restricted biding for private network on purpose, mono runtime doesn't bind
> IP address as expected. As a result, the port is available on public network
> as well.
>
> i already sent a request of pulling on github, pls review and take it.
Done. Thanks.
-Gonzalo
_______________________________________________
Mono-devel-list mailing list
Mono-de...@lists.ximian.com
http://lists.ximian.com/mailman/listinfo/mono-devel-list
Reply all
Reply to author
Forward
0 new messages