Customizing SMF > SMF Coding Discussion

Possible Security Hole in Package Manager!

<< < (2/3) > >>

David:
Yep, it is almost sad some of the server configurations I see.  I wouldn't worry though as this will get taken care of. :)

[Unknown]:
A sanity check is fine, no packages should be using '../' anyway, but... really this is quite minor, because the admin would have to do this, and would have to type a password if they were redirected.... it's just very unlikely that it could be exploited easily.

-[Unknown]

trparky:
Yeah, I know.  The admin would have to do it.  But after being a Help Desk Tech for RochenHost, I got to see a different side of the story here.

For all the web hosts out there, please fix this bug.

Like I said, there is no underestimating the stupidity of the end-user and the skill of some 133+ hax0r.

[Unknown]:
Well, you're ignoring the other zillion functions in Subs-Package.php.  Most of them could screw a host over several times if used incorrectly.

-[Unknown]

Jeff Lewis:
But the point is very valid in that a safety check should be thre regardless. Anything that causes injection should be stopped.

Navigation

[0] Message Index

[#] Next page

[*] Previous page