Samuel Krempp a écrit, le 25/03/2012 11:41:
I see GOsa devs noticed the security issue 19 months ago :
https://oss.gonicus.de/labs/gosa/ticket/1026
"Additionally the script parameter are not escaped right now, somebody
could do nasty thing with it. I will have a look at this too. "

How serious is knowingly leaving such a vulnerability, with easy fix,
open for 19 months ?


Sorry, did not check before posting, the issue was indeed fixed 19 months ago in GOsa trunk, I shouldn't send emails with one hand while playing with my kids with the other :
https://oss.gonicus.de/labs/gosa/changeset/19467
It's been present in releases since GOsa's 2.6.12, so SkoleLinux should upgrade. It's rather important to prevent malicious students to execute arbitrary commands as www-data, and hopefully there isn't any change that breaks skolelinux : https://oss.gonicus.de/labs/gosa/changeset?old_path=%2Ftags%2F2.6.12&old=20607&new_path=%2Ftags%2F2.6.11&new=20520

Once GOsa version is updated and %userPassword is properly escaped, my patch will likely have to reversed.




--
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4f6ef2da....@crans.ens-cachan.fr

Reply via email to