Forum OpenACS Q&A: Re: RFC: Security policy for OpenACS (Security hole in OpenACS 5.1!)

Collapse
8: Re: RFC: Security policy for OpenACS (Security hole in OpenACS 5.1!) (response to 1)
Posted by Ola Hansson on 05/28/04 07:40 PM
Tom, Jeff explained it here: https://openacs.org/forums/message-view?message_id=182057

Once someone has an admin account on OpenACS he could install acs-developer-support and and execute code via the its tcl shell feature.

This is not restricted to just 5.1, I believe...

Collapse
23: Re: RFC: Security policy for OpenACS (Security hole in OpenACS 5.1!) (response to 8)
Posted by Steve Manning on 05/29/04 03:49 PM
<blockquote>
Once someone has an admin account on OpenACS he could install acs-developer-support and and execute code via the its tcl shell feature.

</blockquote>

If acs-developer-support is such a powerful tool why make it available for install from the repository? Atleast if it was a local install only you would need access to the local file system before being able to install it.

    - Steve