cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tomasz Zieba (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CLOUDSTACK-6283) User can ommit secstorage.allowed.internal.sites limit
Date Tue, 25 Mar 2014 17:16:15 GMT
Tomasz Zieba created CLOUDSTACK-6283:
----------------------------------------

             Summary: User can ommit secstorage.allowed.internal.sites limit
                 Key: CLOUDSTACK-6283
                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6283
             Project: CloudStack
          Issue Type: Bug
      Security Level: Public (Anyone can view this level - this is the default.)
          Components: SystemVM
    Affects Versions: 4.2.1
         Environment: ACS4.2.1
CitrixXen 6.2SP1
            Reporter: Tomasz Zieba


The user is able to bypass the limitations of IP addresses for downloading templates in Global
Settings: secstorage.allowed.internal.sites 

by specifying the URL with additionally port in addition to http, https, ie:

http://x.y.v.z:8080/file.vhd

The problem is the rules that are applied on the Secondary Storage VM:

iptables -S OUTPUT 

-P OUTPUT ACCEPT 
-A OUTPUT-d 172.16.1.0/24-o eth1-p tcp-m state - state NEW-m tcp-j ACCEPT 
-A OUTPUT-o eth1-p tcp-m state - state NEW-m tcp - dport 80-j REJECT - reject-with icmp-port-unreachable

-A OUTPUT-o eth1-p tcp-m state - state NEW-m tcp - dport 443-j REJECT - reject-with icmp-port-unreachable


Limitations concern only ports 80 and 443 

Is it possible to enter filtering the entire traffic or prohibit using the port in the URL
?




--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message