Hong Chen added the comment:
Sure. Thank you for the information!
Hong
On Tue, Mar 2, 2010 at 4:26 AM, R. David Murray wrote:
>
> R. David Murray added the comment:
>
> See also issue 1284316, which is still open, and should probably remain open
> even though there's no
Hong Chen added the comment:
Sorry for the delay, it's been a busy month.
I just tried python 3.1 If installed under c:\program files, the
access control list would be correct, only system & administrator
accounts get the modify privilege.
The default installation is to c:\python31,
Hong Chen added the comment:
Thanks for the reply. I can log in as a non-admin user and replace
python.exe with another binary. Does that serve as an attack example?
Hong
On Sun, Feb 7, 2010 at 7:14 PM, Brian Curtin wrote:
>
> Changes by Brian Curtin :
>
>
> --
&g
New submission from Hong Chen :
The security descriptors of python binaries (like python.exe,
pythonw.exe, etc) allow any Authenticated Users to modify these
binaries. This may cause a privilege-escalation problem since
administrators may use python binaries when performing administrative
tasks
