Jörn Nettingsmeier wrote:
hi !
if you're running lenya 1.4 in production or in any situation where
you may have untrusted local users, or trusted users with a weird
sense of humour and advanced computer skills, you will want to comment
out the following section from your WEB-INF/cocoon.xconf and restart
lenya:
<!--
<component-instance
class="org.apache.lenya.cms.ac.usecases.UserPassword"
logger="lenya.admin" name="admin.changePassword">
<view menu="true" template="usecases/admin/changePassword.jx">
<tab group="admin" name="users"/>
</view>
<exit usecase="admin.user"/>
</component-instance>
-->
there appears to be a local privilege escalation and dos exploit.
I would suggest let's comment it within trunk and add a TODO/Bug that
this needs to be protected better
before we enable it again.
Michi
regards,
jörn
--
Michael Wechner
Wyona - Open Source Content Management - Apache Lenya
http://www.wyona.com http://lenya.apache.org
[EMAIL PROTECTED] [EMAIL PROTECTED]
+41 44 272 91 61
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
