On 02/04/2015 05:55 PM, Warren Young wrote: >> On Feb 4, 2015, at 3:16 PM, Lamar Owen <lowen at pari.edu> wrote: >> >> There have been remotely exploitable vulnerabilities where an arbitrary file could be read > CVEs, please? CVE-2006-3392 for one. As this one was against Webmin, well, webmin by nature has to have root access. Yeah, webmin should not be configured to be accessible from the internet at large, but that's not the point. Yes, it is an old one, but there are I'm sure other vulnerabilities that have either not been found or not been published. And then, a long time ago, in an OS far far away, there was CVE-2000-0915 (FreeBSD 4.1.1 Finger Arbitrary Remote File Access) where the advisory text description included the following wording: "The finger daemon running on the remote host will reveal the contents of arbitrary files when given a command similar to the following : finger /etc/passwd at target Which will return the contents of /etc/passwd."