[pmwiki-users] suggestion for security notifications
Patrick R. Michaud
pmichaud at pobox.com
Tue Sep 5 09:29:23 CDT 2006
On Tue, Sep 05, 2006 at 03:11:26PM +0200, Dominique Faure wrote:
> On 9/5/06, Neil Herber <nospam at eton.ca> wrote:
> > So please, if you have found a vulnerability of any type, send a
> > *private* email to Patrick first and discuss it with him.
> >
> > No sense in giving the bad guys a head start.
>
> According to original discoverer site [1] and PmWiki change log[2]
> this is a quite old vulnerability, which has already been taken in
> account.
>
> [1] http://www.ush.it/2006/01/24/pmwiki-multiple-vulnerabilities/
> [2] http://www.pmwiki.org/wiki/PmWiki/ChangeLog
Actually, the isc.org announcement is a new unreported vulnerability,
that is being actively exploited.
The change in January [1, 2 above] did indeed take care of the
vulnerability as it appeared then, but a new attack vector has
been discovered that is somewhat related to the previous one.
All I can say is that 'register_globals' is totally evil.
Pm
More information about the pmwiki-users
mailing list