On 31 Jan 2002, Charlie Brady wrote: > On Thu, 31 Jan 2002, Darrell May wrote: > > > Charlie Brady <[EMAIL PROTECTED]> said: > > > > > A big word of warning here. > > > > Charlie, guess you never took a look first before replying :-( > > My warning stands whatever the content of your contrib. You made mention > of the user-manager in your announcement, and my warning particularly > applies in that context. It may also apply to your contrib, for all I > know.
I know you guys are talking about Darrells new dmc-mitel- servermanager-navigation RPM (which I haven't had a chance to look at) but Charlie has pointed out a potential security problem with my own e-smith-userpanel RPM (ie user-manager panels). If I understand Charlie correctly, the server-manager panels were all written with the knowledge that they would be behind the username/password of one user: admin. As such input from the panels forms can be (pretty much) trusted. When you open up the server-manager panels to other users (via my e-smith-userpanel-config RPM or otherwise), those users should be trusted as if they had full admin priviledges because there may be the possibility of 'tricking' the panels into doing something you don't want them to. When I get a chance, I'll add a note to that effect in my e-smith- userpanel-config RPM. Daniel van Raay -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
