lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon, 9 Mar 2009 19:51:07 +0100
From: Julien Thomas <julien.thomas.1@...il.com>
To: bugtraq@...urityfocus.com
Subject: Re: Vulnerability CVE-2008-3671 - MyReview's vulnerability in the 
	access control system

Good Evening.

After having received you're message, I checked the new version of
myreview to see whether they took my pat into account (I sent them in
private) or not. Unfortunately, they didn't.

Besides, they didn't reply to my messages too. I've just sent them a
new message in case of ...

However, concerning any patch, I don't want to disclose one as I want
to let the myreview developers manage that. This is due to the nature
of the bugs :
- incorrect configuration of the project files. Though this could be
considered as an installation mistake, I think myreview developers
should consider it. They can correct that with an advanced
installation script or at least inform users about this problem
- correction of this bug require project updates, as some
functionalities would not be working if the mentioned correction is
made. This second point is clearly a task that has to be made by
myreview developers.

Besides, the link between the patch and the bug exploitation is
straightforward and I don't want to at the origin of attacks exploits
...

So I do not know what to do :
- patch disclosure may engender the generation of exploits
- patch non-disclosure do not solve the bug announced for the first
time 8 months ago ...

What do you think about that?

Best Regards,
Julien Thomas

On Mon, Mar 9, 2009 at 8:50 AM,  <alexchf.fyp@...il.com> wrote:
> Is there any patch for the v1.9.9 to avoid this security issue?
>



-- 
-- Julien Thomas

Plus d'informations (projets, site personnel, ..) http://www.julienthomas.eu/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ