-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 04.05.2014 16:05, Andrew Lewman wrote:
On Sat, May 03, 2014 at 09:36:01PM -0700, sweeney@riseup.net wrote 0.9K bytes in 0 lines about: : It is theoretically possible for someone in between my server and Tor to modify the request to run various PHP and other scripts and connect directly to the MySQL databases.
I'm not sure I understand your concern. It's theoretically possible for something to mitm any connection on the Internet. Are you concerned something is actively modifying the contents of the rsync in transit?
I think the concern is that a MitM may intercept the connection and add some PHP code that will then be evaluated as the Webserver user on the server, allowing an attacker to execute arbitrary PHP code on the server hosting the mirror, enabling access to local-only resources like a MySQL server only accepting connections from localhost. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJ8BAEBCgBmBQJTZknoXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEM0ODA5N0EzQUY3RDU1MTg5QTc3QUMx NjlGOTYyNDM0MDg4MjVFAAoJEBafliQ0CIJeN24P/1DpwuhOZ1R1Ph7NpsnoZ1Cs w2LbYWRpaaNe55UZ+Os990mUgKyI6b7hkByNfWvA3XCDGBO20fsCS7uPNTyn5Xnx qSkZ9ydzZWQsntwBD+OBjU0wvlReRvr/bzxQJp2PAjzcXYrq4sx1l0qHOlHNxFL3 Qv1sUwUv8oELx9CiWciaQ5wZyKXZnGNHPPs0hZbSIZVaWuXpl+Qqo+gbQb9h4FoF RGsVKkPeC+KHAtNlRuF1tZ4qWDEZ0Iron2jIuV3aaN3ndbDrp0EtjO3HDCoBNvkr 8z9P1TokDZKW4MQhVbRDp6/IAad7vsfi1JaEbFithYs49DSQGLy0TPB9p14qqnMA olsDrbDi8ujyVm9vVnKcc+0h0JVYXY5TiRBp1Sw98+7AvbtCftVhtHvbfQmiqTUH 68NXh3d4Lsov8D79Ko3Jq1oJZRPwpkzUdZ5KCMTTFBqukPpLN7hPKTvUZoYcUaqx srVxFXJar3dDB6B9yUOLYnBekHM0D41+/wcDfogTZ9EyEow+8CFkkvY644Jf+VW0 JFVh4lTMnYSJ229FIdX3CtBwBjo+9/KUkILr8OSfVma6eSSdpAeG2wF9H1KoAB3Y AvcOcO6F74vuuvOGPjR9M1u3TeNuzSTLgTQqWiOHq7ws4umxasNzFGXm6Jz2oQL4 jb0agonuiXl1YgPuILd4 =sqHu -----END PGP SIGNATURE-----