---------- Forwarded message ---------- From: Ryan Boren <[EMAIL PROTECTED]> Date: May 27, 2006 12:17 PM Subject: Re: Fwd: Bug#369014: 'Cache' shell injection vulnerability To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]
Kai Hendry wrote:
Seems like a local attack. Any comments?
The cache must be turned on, registration must be turned on, and the MySQL password must be cracked for this to be exploitable. In other words, you need a login and the DB password. It doesn't seem very exploitable, but we've already committed a fix and are in the process of testing 2.0.3. Ryan