* Matthias W?chter <matthias / waechter.wiz.at> (10:30) schrieb:

> Injection is very bad irrespective of the user rights and which
> parameter is vulnerable. If it's not the password, he might pass the
> username to the executed command, then it's the same. Finally, a
> parameter (like the given password) like "%PATH%" will make the
> command not work, a password like "; rm -rf /*;" will have other
> side effects that are certainly not assumed by the programmer.

But it doesn't enable the user to do things he isn't allowed to do, so
it's not a security problem. But It might make it easier to shoot
yourself in the foot.

mfg,                       simon .... l