[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Potential security issue with LedgerSMB (inherited from SL)

On 9/11/06, Christopher Murtagh <..hidden..> wrote:
The real question is, is this being  used in a dangerous way?

Well, after looking around a bit, the only place I could see that
might be dangerous is the setup.pl script. When executed through the
browser with a blank HTTP_USER_AGENT, it dumps 'You must have either
lynx or LWP installed or specify a filename.' into the error_log. So,
this isn't immediately critical, but the script does execute farther
than intended which can pose to be a problem.

The other scripts end with compilation errors, except for login.pl
which gives an 'Unknown terminal' as the error.

 So, I think we can step down from yellow alert, but we should
probably still find something safer than HTTP_USER_AGENT.

Also, when I try to run the scripts from the command line, it tries to
include bin/xterm/scriptname.pl, which doesn't exist. Is this the
current behaviour of SL or did we break something and command line
users have just lost functionality?