The "sh" option in the sage notebook allows anyone to access the command-line shell on the sage server. This grants users access to any directory on the server, including configuration settings, etc. Even on the "Try Sage Online" link on the main page (www.sagenb.org) lets users do this.
This is a potential security hole for all sage servers. (The "sh" option I'm talking about is in the drop-down menu that selects the backend to process user commands, such as sage, maxima, r, gap, gp, python, and so on) -- To post to this group, send email to sage-support@googlegroups.com To unsubscribe from this group, send email to sage-support+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/sage-support URL: http://www.sagemath.org
