POV-Ray: Newsgroups: povray.general: Security Issues in Povray?: Re: Security Issues in Povray?

POV-Ray : Newsgroups : povray.general : Security Issues in Povray? : Re: Security Issues in Povray?		Server Time 6 Aug 2024 08:16:48 EDT (-0400)

From: ncryptor
Date: 22 Apr 2002 13:52:37
Message: <pan.2002.04.22.20.52.29.933850.7438@me.localdomain>

On Mon, 22 Apr 2002 20:40:05 +0300, Christoph Hormann wrote:

> 
> I must say i don't get it, a render farm (either PVM or some custom
> coordination program) starts povray internally, i don't see how you
> could 'obtain shell or other access'.  If you see a problem, please post
> an example where this becomes visible.
> 
> Note that being able to execute programs with Post_Scene_Command etc. is
> a different topic, but therefore IO-restrictions are introduced in 3.5.
> 
> Christoph
> 

The render farm of some projects, such as IMP, are based on scripts
checking the server for new files, downloading them and running pov with
them. An exploiter could fool the script into running pov with a
command line which will allow access to the user's computer. for example,
the script might think that 'ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ...' is
the file name and try running pov with this command line.
This isn't concrete but a security leak is possible. The pov 3.5 IO
restrictions are do not block this kind of vulerability.

Post a reply to this message