Jörn Nettingsmeier wrote:
hi !
if you're running lenya 1.4 in production or in any situation where you
may have untrusted local users, or trusted users with a weird sense of
humour and advanced computer skills, you will want to comment out the
following section from your WEB-INF/cocoon.xconf and restart lenya:
<!--
<component-instance
class="org.apache.lenya.cms.ac.usecases.UserPassword"
logger="lenya.admin" name="admin.changePassword">
<view menu="true" template="usecases/admin/changePassword.jx">
<tab group="admin" name="users"/>
</view>
<exit usecase="admin.user"/>
</component-instance>
-->
there appears to be a local privilege escalation and dos exploit.
Thanks for the pointer!
Would you mind filing a bug?
-- Andreas
--
Andreas Hartmann
Wyona Inc. - Open Source Content Management - Apache Lenya
http://www.wyona.com http://lenya.apache.org
[EMAIL PROTECTED] [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
