FS#33621 - [redis] Redis is exposed to the world by default
Attached to Project:
Community Packages
Opened by John Lockman (ultramancool) - Tuesday, 29 January 2013, 01:12 GMT
Last edited by Sergej Pupykin (sergej) - Tuesday, 29 January 2013, 12:55 GMT
Opened by John Lockman (ultramancool) - Tuesday, 29 January 2013, 01:12 GMT
Last edited by Sergej Pupykin (sergej) - Tuesday, 29 January 2013, 12:55 GMT
|
Details
Description:
Redis is bound to 0.0.0.0:6379 by default, leaving this exposed to the internet can present a huge security vulnerability and allow external users to manipulate data in redis. It should only be bound to localhost by default or a notice should at least be presented upon installation warning the user about this. Additional info: * package version: community/redis 2.6.8-1 on x86_64 Steps to reproduce: 1) Install redis 2) nmap -p6379 your public interface |
This task depends upon