serendipity SQL Injection vulnerability

Found a bug? Tell us!!
Post Reply
ADZ Security Team

serendipity SQL Injection vulnerability

Post by ADZ Security Team »

(this information is removed until it is investigated.)

If you like to post security issues or announcements, contact our Developers privately or mail to the mailing list.

Thanks,
Garvin
kreon (ADZ)

Post by kreon (ADZ) »

I couldn't found your private mail :)
So, I've puted this message.
nohn
Regular
Posts: 37
Joined: Fri Oct 08, 2004 3:28 pm

Post by nohn »

The address of our mailing list is on our website.
garvinhicking
Core Developer
Posts: 30022
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:

Post by garvinhicking »

# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
kreon

Post by kreon »

Heh :) echo mail to dislocure all next bugs , please :)
garvinhicking
Core Developer
Posts: 30022
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:

Post by garvinhicking »

Kreon, what do you mean? I don't understand.

It would have really been good if you contacted us first :-)

BTW, it is also bad style to offer a working exploit code example. You should work at your style reporting those bugs to do some good instead of opening doors to malicious users. :-/

Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
kreon

Post by kreon »

I mean email-address to send info about bugs :)
garvinhicking
Core Developer
Posts: 30022
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:

Post by garvinhicking »

You mean where to post those issues in the future? As nohn said, see http://www.s9y.org/21.html - this is our mailinglist. You could also send it to our Sourceforge accounts, if you'd looked a few minutes (garvinhicking at users dot sourceforge dot net) :-)

Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
gizmola
Regular
Posts: 37
Joined: Mon Oct 25, 2004 11:54 pm

Post by gizmola »

Finding a bug and reporting it is much appreciated. With that said, noone involved in the development of the project is hiding. We appreciate your efforts, but would appreciate them even more if you would go through channels to let the developers see the bugs first and evaluate them rather than use a public forum to publish a working exploit.

We would certainly make sure to credit your efforts. In going ahead and publishing a bug, I hope you realize you are exposing end users.
dermk4

Got hacked

Post by dermk4 »

using 0.8 beta4, got hacked by someone who identified themselves as "HackerMalaysia", they renamed all my categories, replaced the s9Y logo with their logo saying "hack the planet", and had put a skull on my most recent entry!!

Is this related to the exposed security issue?
garvinhicking
Core Developer
Posts: 30022
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:

Re: Got hacked

Post by garvinhicking »

Sadly, yes. This can happen because security engineers put out exploits first before contacting vendors so that they can prepare a patch.

I'm heartfully sorry for this, and I would've liked to avoid a situation like this. We are all developers doing our best with this project in the free time; as with all projects where many people are involved on their freetime, sadly bugs can slip through.

Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
mr X

Re: Got hacked

Post by mr X »

uhhhhh... so the solution is update.. patch..update..patch... wahhh
Post Reply