Services are started with the system privileges. If somebody is able to place that .exe in the specified directory, then it will be executed on service start. So, yes, I too agree with Asif that it is an important issue and should be fixed in the code at the earliest.
On Tue, Oct 29, 2013 at 12:46 PM, Naoya Anzai <anzai-naoya@mxu.nes.nec.co.jp> wrote: > Hi Sandeep > >> I think, you should change the subject line to "Unquoted service path containing space is vulnerable and can be exploited on Windows" to get the attention.. :) > Thank you for advice! > I'll try to post to pgsql-bugs again.
I could also reproduce this issue. The situation is very rare such that an "exe" with name same as first part of directory should exist in installation path.
I believe it is a security risk with bigger impact as it is related to Windows environment and as installers rely on it.
I suggest you can post your patch in next commit fest.
Yes. Are not vulnerabilities/security risk's taken care of more urgent bases ?