Forum OpenACS Q&A: Re: RFC: Security policy for OpenACS (Security hole in OpenACS 5.1!)

Tom, Jeff explained it here: https://openacs.org/forums/message-view?message_id=182057

Once someone has an admin account on OpenACS he could install acs-developer-support and and execute code via the its tcl shell feature.

This is not restricted to just 5.1, I believe...

<blockquote>
Once someone has an admin account on OpenACS he could install acs-developer-support and and execute code via the its tcl shell feature.

</blockquote>

If acs-developer-support is such a powerful tool why make it available for install from the repository? Atleast if it was a local install only you would need access to the local file system before being able to install it.

    - Steve