Generally I would never put any database open on the Internet... Is there something special about Riak that would cause people to change this rule of thumb?
-- paul On Oct 19, 2011, at 4:50 PM, "Aphyr" <ap...@aphyr.com> wrote: > With Eric Redmond's permission*, I am releasing a proof-of-concept > exploit which uses Riak's mapreduce API to execute arbitrary Erlang code > and obtain shell access. > > http://aphyr.com/journals/show/do-not-expose-riak-directly-to-the-internet > > Please stop doing this. > > --Kyle > > * Eric (http://crudcomic.com/post/11656603627/downside-of-crowdsourcing) > announced a publicly accessible Riak cluster today; with his > permission/supervision I used this exploit to gain shell access to his > server. He's taken down that cluster and encouraged me to release this > information. > > I love the idea of a public sandbox for Riak--but it should be wrapped > in a rate-limiting HTTP proxy that only allows certain URLs, object > sizes, and methods. And limits the number of keys. :) > > _______________________________________________ > riak-users mailing list > riak-users@lists.basho.com > http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com _______________________________________________ riak-users mailing list riak-users@lists.basho.com http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
