Please contact me about a serious security hole in Serendipity v 6.0 pl1.
Here is a fix for this vulnerability :
url-removed until patch is released
serious security hole
serious security hole
Last edited by frog-man on Mon May 24, 2004 1:20 am, edited 1 time in total.
-
garvinhicking
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Re: serious security hole
Thanks for you note.
However a serious and upright bug reporter would FIRST inform the developers PRIVATELY, and after THEY have published a fix you can tell about the vulnerability. That's the way it works with nearly all honest opensource-vulnerability reports. It's sad to see which way you went without giving us the ability or time to take the right actions.
Of course we will release a 0.6-pl2 version shortly.
However a serious and upright bug reporter would FIRST inform the developers PRIVATELY, and after THEY have published a fix you can tell about the vulnerability. That's the way it works with nearly all honest opensource-vulnerability reports. It's sad to see which way you went without giving us the ability or time to take the right actions.
Of course we will release a 0.6-pl2 version shortly.
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
hum
I know what should make a "serious bug reporter" but a "serious webmaster" should allow the bug reporters to contact him privately.
When I click on "contact", I've 3 choices :
- Mailing list (not private)
- IRC (nobody!)
- Forums (here I am)
I haven't explain the vulnerability, and I'm waiting for a mail or a private message like I said in my previous post.
When I click on "contact", I've 3 choices :
- Mailing list (not private)
- IRC (nobody!)
- Forums (here I am)
I haven't explain the vulnerability, and I'm waiting for a mail or a private message like I said in my previous post.
-
garvinhicking
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Re: hum
Look at s9y.org, our wiki. There are the developers, most with personal webpages which you could have contacted.frog-man wrote:I know what should make a "serious bug reporter" but a "serious webmaster" should allow the bug reporters to contact him privately.
When I click on "contact", I've 3 choices :
- Mailing list (not private)
- IRC (nobody!)
- Forums (here I am)
You could have looked on our mailinglist and asked there. Or just look at the developers posting there, they do have mail adresses.
You could have looked at our sourceforge-account, the lead developers are listed there with the ability to send them a message.
You could have sent a personal message to me or others through this forum.
The basic thing is, you shouldn't have posted the link on your homepage without trying to contact us seriously. The patch there explains exactly what the vulernability is, so everyone already knows what the case is. If you have anything to add, you can point your mail client to 'serendipity at supergarv dot de'.
BTW, that only applies to server with Register_Globals set to On, a setting which is suggested since PHP 4.1.0, so I do hope it's only a medium priority issue on well-hosted webservers. Of course there's no talking about the bug itself and that it shouldn't be inside of s9y.
Regards,
Garvin.
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
hum
Well, I could also do nothing !
I don't use your product and I do this for free !
Please don't forget it...
But I'm not like that and I'll thus contact you by mail.
Sorry for my poor english.
I don't use your product and I do this for free !
Please don't forget it...
But I'm not like that and I'll thus contact you by mail.
Sorry for my poor english.
-
garvinhicking
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Re: hum
Please don't reverse the situation - of course we do very much appreciate your effort on helping us and fixing the bug. It's just that there are some things to pay attention to when doing so; especially as I see you have experience with reporting bugs on your site.
I'm sorry if I may sound rude, I just think there are common ways of reportung security issues, and it didn't went that way...
Best regards, and we're working on it.
Garvin.
I'm sorry if I may sound rude, I just think there are common ways of reportung security issues, and it didn't went that way...
Best regards, and we're working on it.
Garvin.
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
plop
No problem I understand very well.
Maybe I want to work too fast so I don't make the most I could
Good work
frog
Maybe I want to work too fast so I don't make the most I could
Good work
frog