svn commit: samba r23047 - in branches/SAMBA_4_0/source/scripting/ejs: .

Rafal Szczesniak mimir at samba.org
Tue May 22 06:14:31 GMT 2007


On Tue, May 22, 2007 at 09:17:36AM +1000, tridge at samba.org wrote:
> Mimir,
> 
>  > +		/* First, try to include file from current working directory.
>  > +		   This allows local includes which is handy sometimes. */
> 
> yes, it's very handy if you are a malicious hacker!
> 
> Imagine the admin has a ftp upload area, and cd's to that
> directory. He wants to see if anyone is connected to that area with
> "smbstatus". The attacker uploads util.js and hey presto the attacker
> has just got the admin to run his code inside smbstatus, as root.

Well, yes, you're right. I messed the order :) But it should be ok,
to reverse the order of inclusion - defined paths first, local dir
second. This would allow not to substitue commonly used include files
and still be able to include something local.


cheers,
-- 
Rafal Szczesniak
Samba Team member  http://www.samba.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.samba.org/archive/samba-technical/attachments/20070522/d2e18066/attachment.bin


More information about the samba-technical mailing list