On 12/4/06, Stefan Fritsch <[EMAIL PROTECTED]> wrote:
The metaInfo.php issue doesn't seem to be fixed in 2.2
To be clear, I would like to point out that the more serious remote command execution using metaInfo.php IS fixed in 2.2. However, the local privilege escalation is present in 2.2 by a local user creating a file with backticks in it, then pointing the torrent variable of details.php to it and executing the command as the web server user. Cameron -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
