Forum OpenACS Q&A: Response to Stealing Email Addresses -3x

Posted by Jon Griffin on
ACS 3.x had MAJOR security flaws. I don't know if OpenACS 3.x patched all of these.

Basically you can type in a query at the right place and get whatever you want. That was one of the main reasons there was a weekend codefest at AD to patch that. Petru was the one who alerted the AD people.

I am sure there are still holes. I always use passwords on my db's in case, but if they attack through the web it is irrelevant.