Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security problem in debug mode #8081

Closed
magicode opened this issue Aug 12, 2016 · 2 comments
Closed

security problem in debug mode #8081

magicode opened this issue Aug 12, 2016 · 2 comments

Comments

@magicode
Copy link

  • v6.2.2:
  • x86_64 GNU/Linux:
  • Ubuntu 14.04.2 LTS:

I found a security problem that can be severe in debug mode

i run app in my server with --debug flag

node --debug app.js

check tcp listen

lsof -p <pid> -P

and i see this line

node    13721 root   14u  IPv6 2273468957      0t0        TCP *:5858 (LISTEN)

i check it by curl from other server, like this. (i change my ipv6 address)

curl -g -6 http://[2a00:1450:4007:808::200e]:5858/

and i get this

Type: connect
V8-Version: 5.0.71.52
Protocol-Version: 1
Embedding-Host: node v6.2.2
Content-Length: 0
@bnoordhuis
Copy link
Member

That is a known issue, see #3306 (comment), and will probably change again some day. Perhaps we can still do this for v7.

We can't do that in release branches because it would be backwards incompatible but you can force it to bind to a local address with --debug=127.0.0.1:5353.

@magicode
Copy link
Author

magicode commented Aug 12, 2016
edited
Loading

In previous versions node force use loopback
developers can not know this change to listen to anything.
i developer 4 years in node and I was surprised from that.

@bnoordhuis bnoordhuis mentioned this issue Aug 15, 2016
Merged
bnoordhuis added a commit to bnoordhuis/io.js that referenced this issue Aug 23, 2016
@bnoordhuis
src: make debugger listen on 127.0.0.1 by default
8e7cbe2 
Commit 2272052 ("net: bind to `::` TCP address by default") from
April 2014 seems to have accidentally changed the default listen
address from 127.0.0.1 to 0.0.0.0, a.k.a. the "any" address.

From a security viewpoint it's undesirable to accept debug agent
connections from anywhere so let's change that back.  Users can
override the default with the `--debug=<host>:<port>` switch.

Fixes: nodejs#8081
PR-URL: nodejs#8106
Reviewed-By: James M Snell <jasnell@gmail.com>
@sam-github sam-github mentioned this issue Jan 7, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bnoordhuis @magicode