This article applies to BoKS Manager 6.5, 6.6, 6.7 and 7.0.0.
SUEXEC access routes with the suexec_touserenv modifier can allow arbitrary command execution.
Resolution / Workaround
Apply hotfix HFBM-0165 (BOKS 7.0), HFBM-0164 (BOKS 6.6, BOKS 6.7), TFS161110-012881 (BOKS 6.5), available for download from the HelpSystems Community Portal, on the Master and all Server Agents and Replicas.
When the suexec_touserenv modifier is set, suexec will now quote the parameters and make the call through a new, intermediate, program which prevents the shell from interpreting special characters.
Still have questions? We can help. Submit a case to Technical Support.