Monday, September 02, 2024

Re: WAS: MariaDB install any different for OpenBSD 7.5 than 6.4? NOW: 0.0.0.0 Exploit Impact OpenBSD?

> On Sun, Sep 01, 2024 at 05:09:14PM -0400, David Colburn wrote:
>> > >
>> > > 3. That's the addresses where the server daemon will listen to for
>> > > connections from clients. It has to be the address of one of the
>> > > machine's interfaces. See previous messages on the thread, to decide
>> > > whether you want it to listen on a loopback interface, or on an
>> > > egress interface. Set this option to 0.0.0.0 to listen on all
>> > > available interfaces.

That is talking about the address that mariadb server is listening on.
0.0.0.0 is "listen for requests to any v4 address on the machine".

>> I was searching to learn about using a specific machine interface vs 0.0.0.0
>>
>> and came upon this from August 7, 2024 ...
>>
>> https://www.oligo.security/blog/0-0-0-0-day-exploiting-localhost-apis-from-the-browser

That is talking about browsers allowing client connections *to*
0.0.0.0 which may allow javascript/html to trigger making a connection
to a service that is only listening to 127.0.0.1. Now you could still
connect to that service by connecting to 127.0.0.1, but newer browsers
specifically treat connections to localhost or private network
addresses as more highly privileged, and don't allow random websites to
do that (only trigger connections to internet servers).

That (or the v6 equivalent) doesn't work on OpenBSD anyway.

$ telnet 0.0.0.0 22
Trying 0.0.0.0...
telnet: connect to address 0.0.0.0: Invalid argument

$ telnet :: 22
Trying ::...
telnet: connect to address ::: Invalid argument


>> Although they don't specifically mention OpenBSD is it correct that:
>>
>> A. Using 0.0.0.0 in my server settings may be less-secure?
>>
>> B. That in the near future it won't work at all?
>>
>> C. I'm misunderstanding the article and it's not relevant to my server
>> setup?

C.

No comments:

Post a Comment