Skip to content
  • Hugh Davenport's avatar
    Remove clamav from site admin options · 2de4e22a
    Hugh Davenport authored
    
    
    Bug #1057238
    CVE-2012-2244
    
    When a site administrator can manipulate the path for the
    clamav scanner, they could produce either a reverse shell,
    or allow any user to execute arbitrary remote commands by
    setting it to an uploaded reverse shell, or to /bin/bash
    respectively.
    
    Other executable paths, namely pathtozip, and pathtounzip
    are only set via config.php, and not through the site admin
    interface. This option, pathtoclam, should follow the same
    design.
    
    Change-Id: I7d4822c9f54eda80682d6631699c1ab40f1dc896
    Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
    2de4e22a