(this information is removed until it is investigated.)
If you like to post security issues or announcements, contact our Developers privately or mail to the mailing list.
Thanks,
Garvin
serendipity SQL Injection vulnerability
-
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
-
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Kreon, what do you mean? I don't understand.
It would have really been good if you contacted us first
BTW, it is also bad style to offer a working exploit code example. You should work at your style reporting those bugs to do some good instead of opening doors to malicious users. :-/
Regards,
Garvin
It would have really been good if you contacted us first
BTW, it is also bad style to offer a working exploit code example. You should work at your style reporting those bugs to do some good instead of opening doors to malicious users. :-/
Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
-
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
You mean where to post those issues in the future? As nohn said, see http://www.s9y.org/21.html - this is our mailinglist. You could also send it to our Sourceforge accounts, if you'd looked a few minutes (garvinhicking at users dot sourceforge dot net)
Regards,
Garvin
Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
Finding a bug and reporting it is much appreciated. With that said, noone involved in the development of the project is hiding. We appreciate your efforts, but would appreciate them even more if you would go through channels to let the developers see the bugs first and evaluate them rather than use a public forum to publish a working exploit.
We would certainly make sure to credit your efforts. In going ahead and publishing a bug, I hope you realize you are exposing end users.
We would certainly make sure to credit your efforts. In going ahead and publishing a bug, I hope you realize you are exposing end users.
Got hacked
using 0.8 beta4, got hacked by someone who identified themselves as "HackerMalaysia", they renamed all my categories, replaced the s9Y logo with their logo saying "hack the planet", and had put a skull on my most recent entry!!
Is this related to the exposed security issue?
Is this related to the exposed security issue?
-
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Re: Got hacked
Sadly, yes. This can happen because security engineers put out exploits first before contacting vendors so that they can prepare a patch.
I'm heartfully sorry for this, and I would've liked to avoid a situation like this. We are all developers doing our best with this project in the free time; as with all projects where many people are involved on their freetime, sadly bugs can slip through.
Regards,
Garvin
I'm heartfully sorry for this, and I would've liked to avoid a situation like this. We are all developers doing our best with this project in the free time; as with all projects where many people are involved on their freetime, sadly bugs can slip through.
Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/