[Coldstuff] Advisory: Security hole with ColdCore

xmath coldstuff@cold.org
Thu, 24 Jan 2002 07:40:00 +0100

Previous message: [Coldstuff] Advisory: Security hole with ColdCore
Next message: [Coldstuff] Advisory: Security hole with ColdCore
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>What permissions does the user have to have to exploit?  In other words,
>does it require $guest, $user, $builder, $programmer?  Can it be exploited
>remotely via the default services (http, smtp, etc)?
>
>These sorts of things are useful to properly weigh the risk and urgency of
>obtaining the fix.  There's probably other questions worth asking, but you
>get the point.  Its possible to provide some detail other than "you've got
>a problem, see me for a fix" without giving out the gory details.

To be able to exploit the security hole, the user must be able to 
execute a public method, which normally means he has to be 
$programmer. If he can exploit the hole, he can basically do 
anything, including making himself an admin.

  - xmath

Previous message: [Coldstuff] Advisory: Security hole with ColdCore
Next message: [Coldstuff] Advisory: Security hole with ColdCore
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]