With Eric Redmond's permission*, I am releasing a proof-of-concept
exploit which uses Riak's mapreduce API to execute arbitrary Erlang code
and obtain shell access.
http://aphyr.com/journals/show/do-not-expose-riak-directly-to-the-internet
Please stop doing this.
--Kyle
* Eric (http://crudcomic.com/post/11656603627/downside-of-crowdsourcing)
announced a publicly accessible Riak cluster today; with his
permission/supervision I used this exploit to gain shell access to his
server. He's taken down that cluster and encouraged me to release this
information.
I love the idea of a public sandbox for Riak--but it should be wrapped
in a rate-limiting HTTP proxy that only allows certain URLs, object
sizes, and methods. And limits the number of keys. :)
_______________________________________________
riak-users mailing list
riak-users@lists.basho.com
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
