svn commit: samba r23047 - in branches/SAMBA_4_0/source/scripting/ejs: .

Rafal Szczesniak mimir at
Tue May 22 06:14:31 GMT 2007

On Tue, May 22, 2007 at 09:17:36AM +1000, tridge at wrote:
> Mimir,
>  > +		/* First, try to include file from current working directory.
>  > +		   This allows local includes which is handy sometimes. */
> yes, it's very handy if you are a malicious hacker!
> Imagine the admin has a ftp upload area, and cd's to that
> directory. He wants to see if anyone is connected to that area with
> "smbstatus". The attacker uploads util.js and hey presto the attacker
> has just got the admin to run his code inside smbstatus, as root.

Well, yes, you're right. I messed the order :) But it should be ok,
to reverse the order of inclusion - defined paths first, local dir
second. This would allow not to substitue commonly used include files
and still be able to include something local.

Rafal Szczesniak
Samba Team member

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :

More information about the samba-technical mailing list