Hi Michael,
since it is possible to set custom events for devices without requiring the admin password (e.g., using the Windows client), there's a possibility of hijacking a server connected to the same LAN without knowing the password just by launching the VirtualHere client and setting a custom event handler to launch a malicious script (changing a password, rebooting the server, etc.) on a device and just waiting for the event to eventually happen.
All in all, I think that stting event scripts should be possible only for someone who knows the password.
.
Yes thats a good point, but its ok because the custom event handler will only accept the following commands
1.
nothing2.
power_cycle_port3 .
port=off4.
REMOVEto remove an event that was setI fixed this security hole a few years ago so its fine there is no danger of an rm -rf / or something like that :)
Thanks for the insight, so if
Thanks for the insight, so if I would like to call a shell script, I can't define the event from the GUI and would need to manually edit the server's config file? That solves the security problem :-)
.
You can no longer pass in a script call, you must edit the config.ini file directly. Actually a message will also be logged to syslog if you attempt to do it via the client.
Great, thanks, good to know!
Great, thanks, good to know!