[prev in list] [next in list] [prev in thread] [next in thread] 

List:       shibboleth-users
Subject:    RE: Ex: Re: SSPCPP-961
From:       "Paul B. Henson" <henson () cpp ! edu>
Date:       2023-03-09 2:04:18
Message-ID: PH0PR01MB75237C87842D8049BB630BB9D2B59 () PH0PR01MB7523 ! prod ! exchangelabs ! com
[Download RAW message or body]

> From: Cantor, Scott
> Sent: Wednesday, March 8, 2023 5:22 AM
> 
> That's why I didn't want to do it. The intent as Rod said was not to do that on
> upgrades, so please file a bug.

Done.
 
> I simply didn't have the time to keep arguing with the guy about it, but I did
> warn him that at the first sign of trouble, it was getting pulled.

Doesn't Jira have a "CLOSED WONTFIX" option :)? Dunno. It's not like the installation \
instructions didn't call it out, but on the other hand, how many Windows \
administrators are going to go back and tune up ACLs by hand after they double-click \
the installer?

If random authenticated users can in general access your server you're in a bad \
situation to begin with. The primary thing I could see happening with this is if \
somebody got a remote compromise with low privileges they could potentially escalate \
by doing this, but on the other hand, depending on the patch level of the server, \
they would have quite the menu of bundled vulnerabilities to choose from.

-- 
For Consortium Member technical support, see \
https://shibboleth.atlassian.net/wiki/x/ZYEpPw To unsubscribe from this list send an \
email to users-unsubscribe@shibboleth.net


[prev in list] [next in list] [prev in thread] [next in thread]