[prev in list] [next in list] [prev in thread] [next in thread] 

List:       shibboleth-users
Subject:    Re: SSPCPP-961
From:       "Cantor, Scott via users" <users () shibboleth ! net>
Date:       2023-03-09 13:28:42
Message-ID: F1EF5704-80CC-44A7-89C6-1A965C98E13D () osu ! edu
[Download RAW message or body]

> Doesn't Jira have a "CLOSED WONTFIX" option :)?

I could have.

> Dunno. It's not like the installation instructions didn't call it out

That was added, I had treated that as common sense.

> If random authenticated users can in general access your server you're in a bad
> situation to begin with. The primary thing I could see happening with this is if
> somebody got a remote compromise with low privileges they could potentially
> escalate by doing this, but on the other hand, depending on the patch level of
> the server, they would have quite the menu of bundled vulnerabilities to choose
> from.

This is one area Windows and Linux are the same. Local privilege escalation is a \
given and is pointless to try and stop. Multi-user servers are not a thing, if they \
ever were. That's why I didn't issue an advisory. Both that and denial of service \
don't even register with me anymore.

-- Scott


-- 
For Consortium Member technical support, see \
https://shibboleth.atlassian.net/wiki/x/ZYEpPw To unsubscribe from this list send an \
email to users-unsubscribe@shibboleth.net


[prev in list] [next in list] [prev in thread] [next in thread]