[rt-devel] Security Problem in 2.0.15
darren chamberlain
darren at boston.com
Fri Feb 21 11:09:52 EST 2003
* Warnke, Andreas <Andreas.Warnke at 3SOFT.de> [2003-02-21 10:23]:
> You can execute every perl code on the server even if you have no
> access to the server. This is a bit scary - from my point of view. I
> hope, you have set this straight with RT3 ?
This is an issue with Text::Template, which the scrips use to embed Perl
into the body of the templates. Everything in { } is executed as Perl.
See the "Security Matters" section of the Text::Template docs.
(darren)
--
Do you realize how many holes there could be if people would
just take the time to take the dirt out of them?
More information about the Rt-devel
mailing list