mirror of
https://github.com/signalwire/freeswitch.git
synced 2025-08-13 01:26:58 +00:00
build
clients
cmake_modules
conf
debian
docs
dtd
freeswitch.xcodeproj
fscomm
htdocs
libs
apr
apr-util
broadvoice
curl
esl
freetdm
iksemel
ilbc
js
ldns
libcodec2
libdingaling
libedit
libg722_1
libks
libnatpmp
libscgi
libsndfile
libteletone
libtpl-1.5
libwebsockets
libzrtp
miniupnpc
openzap
pcre
portaudio
silk
sofia-sip
spandsp
speex
sqlite
srtp
stfu
tiff-4.0.2
unimrcp
win32
xmlrpc-c
Windows
conf
doc
COPYING
CREDITS
DEVELOPING
HISTORY
INSTALL
SECURITY
TESTING
TODO
configure_doc
examples
include
lib
src
tools
GNUmakefile
Makefile
Makefile.depend
README
common.mk
config.mk.in
configure.in
dll-common.mk
dylib-common.mk
install-sh
irix-common.mk
missing
mkinstalldirs
srcdir.mk.in
stamp-h.in
transport_config.mk
unix-common.mk
version.mk
xmlrpc-c-config.main
xmlrpc-c-config.test.main
xmlrpc_amconfig.h.in
xmlrpc_config.h.in
yaml
.gitignore
patches
scripts
src
support-d
w32
web
.gitattributes
.gitignore
CMakeLists.txt
Freeswitch.2005.unsupported.sln
Freeswitch.2008.express.unsupported.sln
Freeswitch.2008.sln.debug.bat
Freeswitch.2008.sln.release.bat
Freeswitch.2008.unsupported.sln
Freeswitch.2010.express.sln
Freeswitch.2010.sln
Freeswitch.2012.sln
INSTALL
Makefile.am
acinclude.m4
bootstrap.sh
cc.sh
cluecon.tmpl
cluecon2.tmpl
cluecon2_small.tmpl
cluecon_small.tmpl
configure.in
devel-bootstrap.sh
erlang.spec
freeswitch-sounds-en-us-callie.spec
freeswitch-sounds-music.spec
freeswitch-sounds-ru-RU-elena.spec
freeswitch.spec
swig_common.i
51 lines
2.1 KiB
Plaintext
51 lines
2.1 KiB
Plaintext
|
Security Advisories
|
||
|
|
===================
|
||
|
|
|
||
|
|
The Xmlrpc-c maintainer will normally post security advisories related
|
||
|
|
to xmlrpc-c to the xmlrpc-c-announce mailing list. You can subscribe
|
||
|
|
to this using the web:
|
||
|
|
|
||
|
|
http://xmlrpc-c.sourceforge.net/lists.php
|
||
|
|
|
||
|
|
You will also find a list of all known bugs including those with
|
||
|
|
security ramifications, in the release notes on Sourceforge. To see
|
||
|
|
the release notes for a release, go to the file download page and
|
||
|
|
click on the release name. The list is current only for the most
|
||
|
|
current release -- i.e. we stop adding to the list for release N after
|
||
|
|
we release N+1.
|
||
|
|
|
||
|
|
|
||
|
|
XML-RPC Security
|
||
|
|
================
|
||
|
|
|
||
|
|
There are some security issues inherent in XML-RPC:
|
||
|
|
|
||
|
|
1) XML-RPC messages are not encrypted at the XML-RPC level. This
|
||
|
|
means that unless you encrypt them at some lower level, someone
|
||
|
|
with sufficient access to the network can see them with standard
|
||
|
|
packet-sniffing and network administration tools.
|
||
|
|
|
||
|
|
This is especially dangerous because XML-RPC is a stateless protocol.
|
||
|
|
If you include reusable authentication tokens in an XML-RPC call, they
|
||
|
|
can probably be sniffed and used by attackers.
|
||
|
|
|
||
|
|
You can solve this problem by using SSL under HTTP. This is possible
|
||
|
|
with Xmlrpc-c, but it's nontrivial to set up and the Xmlrpc-c
|
||
|
|
documentation doesn't tell you how.
|
||
|
|
|
||
|
|
2) There are no permission restrictions and no authentication built
|
||
|
|
into Xmlrpc-c by default -- any client can call any method on any
|
||
|
|
visible server and neither can know for sure to whom it is talking.
|
||
|
|
|
||
|
|
If you need permission and authentication, you either have to put
|
||
|
|
it above the XML-RPC layer or below. For a server, above means in
|
||
|
|
the method code you supply and register with the Xmlrpc-c server
|
||
|
|
facilities; below means something like a firewall that lets clients
|
||
|
|
only from a certain IP address connect to your server.
|
||
|
|
|
||
|
|
3) XML-RPC is a complex protocol based on complex data structures.
|
||
|
|
Layers and layers of potentially buggy code gets run between the
|
||
|
|
time network data is received, and the time it is understood; and
|
||
|
|
conversely between the time data is conceived and the time it
|
||
|
|
gets sent.
|