#3246 "Alias types this user can edit" can be subverted

1.440
closed-fixed
5
2008-11-23
2008-11-22
Alain Knaff
No

Even if a user only has "Email address" in "Alias types this user can edit", he can still enter addresses such as |/bin/sh or /etc/passwd into the address field, allowing him to escalate his privileges.

Discussion

  • Jamie Cameron

    Jamie Cameron - 2008-11-23

    Thanks for pointing this out - it will be fixed in the next Webmin release.

     
  • Jamie Cameron

    Jamie Cameron - 2008-11-23
    • status: open --> closed-fixed
     

Log in to post a comment.