Bug#365910: [Pkg-awstats-devel] Bug#365910: AWStats: Malicious config
file shell code injection
Charles Fry
debian at frogcircus.org
Fri May 5 23:02:30 UTC 2006
> While this plugs the current hole, I have a feeling that allowing
> users to use their own config file is a bad idea because it keeps open
> a class of possible attack vector. I would suggest to accept config
> files provided by the configdir parameter only if the config is owned
> by the same user that is running the CGI script.
I don't like that, because normally the config file should not be
writable by the web server.
Another solution would be to simply disable the configdir parameter.
Charles
--
Late risers!
Shave in just
2 minutes flat
Kiss your wife
Grab your hat
Burma-Shave
http://burma-shave.org/jingles/1933/late_risers
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-awstats-devel/attachments/20060505/3524899f/attachment.pgp
More information about the Pkg-awstats-devel
mailing list