Quote:
Originally posted by Varius
They still have to get through to the webservers (to attack something like Apache)...which means they must break through the load-balancer (F5) first.
|
Huh? Why ?
Let's say you've got 5 web servers behind one load balancer... and they're all running the same version of apache, configured the same way (that's a safe assumption in most cases) and I happen to know of an exploit that just might work on that version of apache.
I run my exploit, it goes through your load balancer, to one of the 5 webservers, exploits the bug and
bam I have a shell running as the httpd user (or whatever user apache is running as) on that webserver.
Sure I've only cracked one of the 5 servers .. but who cares ? Now I poke around and see that the dumbass sysadmin that installed this box left an exploitable version of sendmail running even though it's not being used (it happens quite often) .. I exploit it and I have root.
Now I own your webserver. Sure if I log out I lose the exploited one .. but I can still grab sensitive information while I'm there .. and I can always re-run the exploit later on and get another server. The load balancer is not an issue here at all.. it passes everything through port 80 to one of the 5 servers .. it doesn't care what's being passed through.
Unless I'm missing something.