Security issue with Hobbit "config" command.
On Wed, Aug 02, 2006 at 10:11:42AM -0500, Kruse, Jason K. wrote:
The config directive does not stay locked into the etc directory but will follow ../.. to allow access to any file the hobbit user has access to on the system.
Thanks, this was not meant to happen. There was actually a security check in the code, but it got two parameters in the wrong order, so it would always grant access. A patch is attached.
Regards, Henrik
Le 02/08/2006 17:41, Henrik Stoerner a écrit :
Thanks, this was not meant to happen. There was actually a security check in the code, but it got two parameters in the wrong order, so it would always grant access. A patch is attached.
Hi Henrik
maybe a patch should be released for 4.1.2p1 (I've tested, any file can be read) ?
--
Frédéric Mangeant
Steria EDC Sophia-Antipolis
participants (2)
-
frederic.mangeant@steria.com
-
henrik@hswn.dk