[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Potential security issue with LedgerSMB (inherited from SL)
- Subject: Re: Potential security issue with LedgerSMB (inherited from SL)
- From: Tony Fraser <..hidden..>
- Date: Mon, 11 Sep 2006 14:25:41 -0700
On Mon, 2006-09-11 at 13:03 -0700, Chris Travers wrote:
> From what I have seen, the fact that the xterm directory is
> missing already makes this a problem out of the box with
> SQL-Ledger 2.6.x.
>
> Of course, this doesn't prevent you from setting an
> HTTP-USER-AGENT
>
> environment variable and then treating this as a cgi script. So some
> scripts might require some slight modifications (I would be happy to
> help provide a toolkit to do that for backwards compatibility).
Actually, if you look at the code it only sets the path form variable if
it isn't already set by a CGI param or ARGV. So as long as you set
path=/bin/(lynx|mozilla) then the command line works as advertised in
SQL Ledger even without the bin/xterm.
--
Tony Fraser
..hidden..
Sybaspace Internet Solutions System Administrator
phone: (250) 246-5368 fax: (250) 246-5398