Page 1 of 1
serendipity SQL Injection vulnerability
Posted: Wed Apr 13, 2005 6:19 pm
by ADZ Security Team
(this information is removed until it is investigated.)
If you like to post security issues or announcements, contact our Developers privately or mail to the mailing list.
Thanks,
Garvin
Posted: Wed Apr 13, 2005 7:17 pm
by kreon (ADZ)
I couldn't found your private mail
So, I've puted this message.
Posted: Wed Apr 13, 2005 7:21 pm
by nohn
The address of our mailing list is on our website.
Posted: Wed Apr 13, 2005 7:30 pm
by garvinhicking
Posted: Wed Apr 13, 2005 7:37 pm
by kreon
Heh
echo mail to dislocure all next bugs , please
Posted: Wed Apr 13, 2005 7:40 pm
by garvinhicking
Kreon, what do you mean? I don't understand.
It would have really been good if you contacted us first
BTW, it is also bad style to offer a working exploit code example. You should work at your style reporting those bugs to do some good instead of opening doors to malicious users. :-/
Regards,
Garvin
Posted: Wed Apr 13, 2005 7:45 pm
by kreon
I mean email-address to send info about bugs
Posted: Wed Apr 13, 2005 7:46 pm
by garvinhicking
You mean where to post those issues in the future? As nohn said, see
http://www.s9y.org/21.html - this is our mailinglist. You could also send it to our Sourceforge accounts, if you'd looked a few minutes (garvinhicking at users dot sourceforge dot net)
Regards,
Garvin
Posted: Thu Apr 14, 2005 1:13 am
by gizmola
Finding a bug and reporting it is much appreciated. With that said, noone involved in the development of the project is hiding. We appreciate your efforts, but would appreciate them even more if you would go through channels to let the developers see the bugs first and evaluate them rather than use a public forum to publish a working exploit.
We would certainly make sure to credit your efforts. In going ahead and publishing a bug, I hope you realize you are exposing end users.
Got hacked
Posted: Fri Apr 15, 2005 3:31 am
by dermk4
using 0.8 beta4, got hacked by someone who identified themselves as "HackerMalaysia", they renamed all my categories, replaced the s9Y logo with their logo saying "hack the planet", and had put a skull on my most recent entry!!
Is this related to the exposed security issue?
Re: Got hacked
Posted: Fri Apr 15, 2005 10:16 am
by garvinhicking
Sadly, yes. This can happen because security engineers put out exploits first before contacting vendors so that they can prepare a patch.
I'm heartfully sorry for this, and I would've liked to avoid a situation like this. We are all developers doing our best with this project in the free time; as with all projects where many people are involved on their freetime, sadly bugs can slip through.
Regards,
Garvin
Re: Got hacked
Posted: Thu Dec 01, 2005 7:19 pm
by mr X
uhhhhh... so the solution is update.. patch..update..patch... wahhh