changeset 944:1e0f49aa75f3

security
author Alain Mazy <am@osimis.io>
date Wed, 26 Apr 2023 08:35:35 +0200
parents e5bfa890c265
children 11d7d30ca273
files Sphinx/source/faq/security.rst
diffstat 1 files changed, 5 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/Sphinx/source/faq/security.rst	Mon Apr 24 11:35:14 2023 +0200
+++ b/Sphinx/source/faq/security.rst	Wed Apr 26 08:35:35 2023 +0200
@@ -114,9 +114,11 @@
     end
 
   Very importantly, make sure to protect ``POST`` access to the
-  ``/tools/execute-script`` URI. This URI can indeed be used by a
-  malicious user to execute any system command on the computer as the
-  user that runs Orthanc.
+  ``/tools/execute-script`` and ``/instances/../export`` URIs. 
+  The first URI can indeed be used by a malicious user to execute any 
+  system command on the computer as the user that runs Orthanc.  The second
+  URI can be used by a malicious user to overwrite system files possibly
+  with malicious DICOM files that may lead to execution of system commands.
 
 * Consider implementing a :ref:`higher-level application
   <improving-interface>` (e.g. in PHP, Java, Django...) that takes