* Josh Berkus (j...@agliodbs.com) wrote: > The only way I can see this being of real use to an attacker is if they > could use this exploit to create a wormed version of PostgresQL on the > target build system. Is that possible?
I don't see why it wouldn't be- once the attacker is on the box as any user, they could gain access to the account doing the builds and then build whatever they want. Of course, if they've been able to compromise an account on the host it's entirely likely they've already been able to gain admin access (probably more easily than going through PG to get at the build user) and then it's a moot point. All that said- if we can use named pipes on Windows, ala what we do on Unix, I'm all for it.. Thanks, Stephen
Description: Digital signature