I regret to announce that I've located a potential security risk for tmda-cgi users who run in system-wide mode. This advisory affects all versions of tmda-cgi.
This security advisory may be safely ignored by TMDA users who do not use tmda-cgi or who run tmda-cgi in single-user or no-su modes. Although I know of no current exploits, I've determined that it would be possible for a malicious user with an unprivileged account on a server running tmda-cgi in system-wide mode to execute privileged commands. Fortunately, anonymous users on the web and other users without an account on the server could not take advantage of this exploit to gain access. tmda-cgi users who currently run in system-wide mode are strongly encouraged to upgrade their contrib/cgi files to those now available in CVS. tmda-cgi users who have versions prior to 0.66 should upgrade their entire TMDA install to the most recent release and then get the contrib/cgi files from CVS. Please e-mail me directly if you have difficulties in this matter. <[EMAIL PROTECTED]> Gre7g. _________________________________________________ tmda-workers mailing list ([EMAIL PROTECTED]) http://tmda.net/lists/listinfo/tmda-workers
