[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Potential security issue with LedgerSMB (inherited from SL)

On Mon, 2006-09-11 at 13:03 -0700, Chris Travers wrote:
>         From what I have seen, the fact that the xterm directory is
>         missing already makes this a problem out of the box with
>         SQL-Ledger 2.6.x.
>         Of course, this doesn't prevent you from setting an
> environment variable and then treating this as a cgi script.  So some
> scripts might require some slight modifications (I would be happy to
> help provide a toolkit to do that for backwards compatibility). 

Actually, if you look at the code it only sets the path form variable if
it isn't already set by a CGI param or ARGV. So as long as you set
path=/bin/(lynx|mozilla) then the command line works as advertised in
SQL Ledger even without the bin/xterm.

Tony Fraser
Sybaspace Internet Solutions                        System Administrator
phone: (250) 246-5368                                fax: (250) 246-5398