Out of curiosity why is this not an issue?
I would think the ability to reconfigure and execute arbitrary commands
on a server is a pretty big issue even if the chance of it happening is
slim..
http://seclists.org/fulldisclosure/2011/Jun/0
"Vendor response: "This isn't an issue."
Problem: the cherokee server admin configuration web interface is
vulnerable to csrf.
Impact: if an admin is logged into the cherokee admin interface and
visits a site which runs "bad tm scripts" cherokee can be reconfigured
to run as $user and set log handlers(hooks) to execute arbitrary
commands (on error and on access)."
_______________________________________________
Cherokee mailing list
[email protected]
http://lists.octality.com/listinfo/cherokee
