Please sign in to comment.
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
The `localsysop` setting is dangerous and allows an attack where an attacker constructs a malicious webpage that makes a connection to `localhost` on the appropriate port and then takes over the server. Since the dev console can be used from `localhost` by default, this would include the ability to run arbitrary code on the server computer. Any server operator who browses the internet on the same computer where she or he hosts the server (such as some small-time server operators) would be vulnerable to having their computer taken over merely by visiting any webpage on the internet under the control of the attacker.
- Loading branch information
Showing with 1 addition and 19 deletions.