Michael Wechner wrote:
Jörn Nettingsmeier wrote:
hi !
if you're running lenya 1.4 in production or in any situation where
you may have untrusted local users, or trusted users with a weird
sense of humour and advanced computer skills, you will want to comment
out the following section from your WEB-INF/cocoon.xconf and restart
lenya:
<!--
<component-instance
class="org.apache.lenya.cms.ac.usecases.UserPassword"
logger="lenya.admin" name="admin.changePassword">
<view menu="true" template="usecases/admin/changePassword.jx">
<tab group="admin" name="users"/>
</view>
<exit usecase="admin.user"/>
</component-instance>
-->
there appears to be a local privilege escalation and dos exploit.
I would suggest let's comment it within trunk and add a TODO/Bug that
this needs to be protected better
before we enable it again.
very good idea. i'll be working on a fix this afternoon. should be done
and tested tomorrow.
--
"Open source takes the bullshit out of software."
- Charles Ferguson on TechnologyReview.com
--
Jörn Nettingsmeier, EDV-Administrator
Institut für Politikwissenschaft
Universität Duisburg-Essen, Standort Duisburg
Mail: [EMAIL PROTECTED], Telefon: 0203/379-2736
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
