[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Potential security issue with LedgerSMB (inherited from SL)

Subject: Re: Potential security issue with LedgerSMB (inherited from SL)
From: "Christopher Murtagh" <..hidden..>
Date: Mon, 11 Sep 2006 11:47:53 -0400

On 9/11/06, Christopher Murtagh <..hidden..> wrote:

The real question is, is this being  used in a dangerous way?


Well, after looking around a bit, the only place I could see that
might be dangerous is the setup.pl script. When executed through the
browser with a blank HTTP_USER_AGENT, it dumps 'You must have either
lynx or LWP installed or specify a filename.' into the error_log. So,
this isn't immediately critical, but the script does execute farther
than intended which can pose to be a problem.

The other scripts end with compilation errors, except for login.pl
which gives an 'Unknown terminal' as the error.

 So, I think we can step down from yellow alert, but we should
probably still find something safer than HTTP_USER_AGENT.

Also, when I try to run the scripts from the command line, it tries to
include bin/xterm/scriptname.pl, which doesn't exist. Is this the
current behaviour of SL or did we break something and command line
users have just lost functionality?

Cheers,

Chris

Follow-Ups:
- Re: Potential security issue with LedgerSMB (inherited from SL)
  - From: Tony Fraser

References:
- Potential security issue with LedgerSMB (inherited from SL)
  - From: Christopher Murtagh

Prev by Date: Potential security issue with LedgerSMB (inherited from SL)
Next by Date: Re: Potential security issue with LedgerSMB (inherited from SL)
Previous by thread: Potential security issue with LedgerSMB (inherited from SL)
Next by thread: Re: Potential security issue with LedgerSMB (inherited from SL)
Index(es):
- Date
- Thread