severity 561339 normal thanks Hi Sean and Steffen, I am downgrading this bug due to the nature of this problem. While it is true that you can get e.g. a shell on a system because of this issue I see no privilege escalation here, no existing restrictions are bypassed in any way. The admin is expected to be able to define such Data Input Methods.
While I agree that it may make sense to fix this with a whitelist approach I don't see this as a grave issue because a) it's limited to authenticated *admins* and b) is not bypassing any restrictions in place. This issue basically exists with every kind of software that allows an administrator to specify certain commands in order to get some desired values. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0AAAA For security reasons, all text in this mail is double-rot13 encrypted.
pgprbd099NIVA.pgp
Description: PGP signature
