[Coldstuff] Advisory: Security hole with ColdCore
Brad Roberts
coldstuff@cold.org
Wed, 23 Jan 2002 18:05:27 -0800 (PST)
What permissions does the user have to have to exploit? In other words,
does it require $guest, $user, $builder, $programmer? Can it be exploited
remotely via the default services (http, smtp, etc)?
These sorts of things are useful to properly weigh the risk and urgency of
obtaining the fix. There's probably other questions worth asking, but you
get the point. Its possible to provide some detail other than "you've got
a problem, see me for a fix" without giving out the gory details.
Later,
Brad
On Wed, 23 Jan 2002, Brandon Gillespie wrote:
> Date: Wed, 23 Jan 2002 18:50:07 -0700
> From: Brandon Gillespie <brandon@roguetrader.com>
> Reply-To: coldstuff@cold.org
> To: coldstuff@cold.org
> Subject: [Coldstuff] Advisory: Security hole with ColdCore
>
> This is an advisory to anybody running ColdCore. There is a security
> hole which was found by xmath where anybody can run code as an
> administrator. I'll post the fix here in a week or so, to give
> administrators a chance to fix it first. To get the fix either
> contact me via email or get on the Cold Dark and ask either me or
> xmath.
>
> -Brandon Gillespie
> _______________________________________________
> Cold-Coldstuff mailing list
> Cold-Coldstuff@cold.org
> http://web.cold.org/mailman/listinfo/cold-coldstuff
>