Samuel Krempp a écrit, le 25/03/2012 11:41:
I see GOsa devs noticed the security issue 19 months ago : https://oss.gonicus.de/labs/gosa/ticket/1026 "Additionally the script parameter are not escaped right now, somebody could do nasty thing with it. I will have a look at this too. " How serious is knowingly leaving such a vulnerability, with easy fix, open for 19 months ?
Sorry, did not check before posting, the issue was indeed fixed 19 months ago in GOsa trunk, I shouldn't send emails with one hand while playing with my kids with the other :
https://oss.gonicus.de/labs/gosa/changeset/19467It's been present in releases since GOsa's 2.6.12, so SkoleLinux should upgrade. It's rather important to prevent malicious students to execute arbitrary commands as www-data, and hopefully there isn't any change that breaks skolelinux : https://oss.gonicus.de/labs/gosa/changeset?old_path=%2Ftags%2F2.6.12&old=20607&new_path=%2Ftags%2F2.6.11&new=20520
Once GOsa version is updated and %userPassword is properly escaped, my patch will likely have to reversed.