Metasploit Framework is susceptible to a restriction bypass vulnerability in msfweb. This issue is due to a failure of the application to properly implement access control restrictions. This issue allows remote attackers to bypass security restrictions in the affected Web server. Attackers may exploit this issue to attack arbitrary computers using the Metasploit Framework, while originating the attacks from the computer hosting the vulnerable msfweb process. Attackers may also interact with the payload features in the Metasploit Framework to manipulate files on the hosting computer, likely leading to executing arbitrary commands and then complete system compromise.
Now that's funny. netmon : I guess we need to wait for a full release anyway ? See http://www.metasploit.com/archive/framework/msg00469.html
The fix is available through msfupdate and has been included in the 2.4 snapshots. Not sure how we can push a GLSA on this though, we probably need a fixed "version".
I am tempted to close this one as INVALID, please comment if you think I shouldn't.
Fixed in metasploit update. Won't issue a GLSA about an hole in a exploit framework. Feel free to reopen if you disagree.
