svn commit: samba r23047 - in
branches/SAMBA_4_0/source/scripting/ejs: .
tridge at samba.org
tridge at samba.org
Mon May 21 23:17:36 GMT 2007
Mimir,
> + /* First, try to include file from current working directory.
> + This allows local includes which is handy sometimes. */
yes, it's very handy if you are a malicious hacker!
Imagine the admin has a ftp upload area, and cd's to that
directory. He wants to see if anyone is connected to that area with
"smbstatus". The attacker uploads util.js and hey presto the attacker
has just got the admin to run his code inside smbstatus, as root.
Same applies to someones home directory.
There is a very good reason why "." is not in $PATH on unix by
default :-)
Please revert this one. It's a major security hole.
Cheers, Tridge
More information about the samba-cvs
mailing list