User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0.1) Gecko/20100101 Firefox/6.0.1 Build ID: 20110830092941 Steps to reproduce: The Evaluator should be removed from the Error Console (EC) and Web Console (WC), which is vulnerable to a critical security exploit that allows an attacker to run arbitrary code on a 3rd-party server. For example, an attacker can run arbitary code such as this: var target="127.0.0.1"; hack(target); shutdown(target); This security exploit should be resolved as soon as possible. Actual results: The Evaluator is still on the consoles. This evaluator should be removed per the description. Expected results: The Evaluator should not be on any consoles anymore.
How many entities are involved in your scenario, three (attacker, user, server) or two (attacker/user and server)? Are you proposing a way for a remote attacker to compromise the user? If so we'll need more information. If the user -is- the attacker then the server needs to be robust against that situation in any case: the internet is a hostile place. The code running abilities of the console are no different than add-ons or a custom client could do.