svn commit: samba r23047 - in
branches/SAMBA_4_0/source/scripting/ejs: .
Rafal Szczesniak
mimir at samba.org
Tue May 22 06:14:31 GMT 2007
On Tue, May 22, 2007 at 09:17:36AM +1000, tridge at samba.org wrote:
> Mimir,
>
> > + /* First, try to include file from current working directory.
> > + This allows local includes which is handy sometimes. */
>
> yes, it's very handy if you are a malicious hacker!
>
> Imagine the admin has a ftp upload area, and cd's to that
> directory. He wants to see if anyone is connected to that area with
> "smbstatus". The attacker uploads util.js and hey presto the attacker
> has just got the admin to run his code inside smbstatus, as root.
Well, yes, you're right. I messed the order :) But it should be ok,
to reverse the order of inclusion - defined paths first, local dir
second. This would allow not to substitue commonly used include files
and still be able to include something local.
cheers,
--
Rafal Szczesniak
Samba Team member http://www.samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.samba.org/archive/samba-technical/attachments/20070522/d2e18066/attachment.bin
More information about the samba-technical
mailing list