On Fri, Jul 09, 2010 at 11:40:59AM -0500, Peter Samuelson wrote:
>
> [Stefan Sperling]
> > "Before the SO_EXCLUSIVEADDRUSE socket option was introduced, there was
> > very little a network application developer could do to prevent a
> > malicious program from binding to the port on which the network
> > application had its own sockets bound."
> >
> > So not using SO_EXCLUSIVEADDR means the denial-of-service still works?
>
> Well, the same article describes the changes made in Windows Server
> 2003: now this seems to be true only if the malicious app is running as
> the same user as svnserve.
Yes, Server 2003 should be OK without SO_EXCLUSIVEADDR.
It's the older Windows systems that will still have problems,
and I don't think we should be ignoring them (as much as I'd love
it if everyone just ditched Windows for good).
Stefan
Received on 2010-07-09 18:46:23 CEST