[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Potential security issue with LedgerSMB (inherited from SL)
- Subject: Re: Potential security issue with LedgerSMB (inherited from SL)
- From: "Christopher Murtagh" <..hidden..>
- Date: Mon, 11 Sep 2006 11:47:53 -0400
On 9/11/06, Christopher Murtagh <..hidden..> wrote:
The real question is, is this being used in a dangerous way?
Well, after looking around a bit, the only place I could see that
might be dangerous is the setup.pl script. When executed through the
browser with a blank HTTP_USER_AGENT, it dumps 'You must have either
lynx or LWP installed or specify a filename.' into the error_log. So,
this isn't immediately critical, but the script does execute farther
than intended which can pose to be a problem.
The other scripts end with compilation errors, except for login.pl
which gives an 'Unknown terminal' as the error.
So, I think we can step down from yellow alert, but we should
probably still find something safer than HTTP_USER_AGENT.
Also, when I try to run the scripts from the command line, it tries to
include bin/xterm/scriptname.pl, which doesn't exist. Is this the
current behaviour of SL or did we break something and command line
users have just lost functionality?