Hi, On Fri, May 4, 2012 at 8:16 AM, Angela Schreiber <[email protected]> wrote: > Justin wrote: ... >> FWIW, I consider this a non-issue. The web console already allows for >> arbitrary code execution by installing a bundle :) > > it depends on what exactly is the nature the service. if it was only > accessible to the same privileged users that have access to the web > console, you are right. however, if this leads to a privilege > escalation for what ever reason, it definitely is a security issue....
In this case the plugin is only accessible to the admin user anyway, so Justin is right. I initially thought there was a generic execution servlet in the picture - sorry for the noise. -Bertrand
