phpMyFAQ 1.5.1 vulns

In this board you can talk about general questions about phpMyFAQ

Moderator: Thorsten

Post Reply
severud
Posts: 10
Joined: Thu Jun 30, 2005 8:11 pm

phpMyFAQ 1.5.1 vulns

Post by severud » Fri Sep 23, 2005 5:40 pm

Perhaps I missed it. Is there any comment on the security issues reported to bugtraq at http://rgod.altervista.org/phpmyfuck151.html ?

Thorsten
Posts: 15025
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Post by Thorsten » Fri Sep 23, 2005 8:05 pm

Hi,

I know it about some hours and I'll release a new version with all fixes the next hour. I would like to put emphasis on the disappointment I feel when a bugreporter does not contact the author of a software first, before posting any exploits. The common way to report this, is to give the developers a reasonable amount of time to respond to an exploit before it is made public.

:-(

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist

ljvd
Posts: 21
Joined: Tue Aug 17, 2004 8:53 am
Location: Paris , France
Contact:

Post by ljvd » Sat Sep 24, 2005 5:21 pm

Thanks for your reactivity ;-)

Due to the succes of PhpMyFaq, perhaps could you create an alert mailing list ?

Best Regards,
Laurent J.V. Dubois
Your French Sales Partner

Thorsten
Posts: 15025
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Post by Thorsten » Sat Sep 24, 2005 5:22 pm

Hi,

I think about a mailinglist. You can also subscribe to Freshmeat there I release all phpMyFAQ versions all the time.

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist

jazcyk
Posts: 385
Joined: Wed Sep 07, 2005 1:32 pm

Don't show version information!

Post by jazcyk » Sun Sep 25, 2005 3:20 am

Let me propose for the future that phpmyfaq does NOT show version information. It is too easy to construct a robot that finds all vulnerable installations.

phpbb2 removed version information for the same reason.

It is sufficient that the admin panels shows it!

Thorsten
Posts: 15025
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Post by Thorsten » Sun Sep 25, 2005 6:41 am

Hi,
Let me propose for the future that phpmyfaq does NOT show version information. It is too easy to construct a robot that finds all vulnerable installations.
this is security by obscurity and does not work. I know that phpBB2 did that.

I stopped integrating new features and I'm working with some PHP developers including two PHP core developers to make phpMyFAQ as secure as possible. The nightly build from today already has patches against possible XSS implemented.

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist

jazcyk
Posts: 385
Joined: Wed Sep 07, 2005 1:32 pm

Post by jazcyk » Sun Sep 25, 2005 1:57 pm

The nightly build from today already has patches
Does that mean that 1.5.2 has the same vulnerability as 1.5.1 ?

Thorsten
Posts: 15025
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Post by Thorsten » Sun Sep 25, 2005 3:07 pm

Hi,

no, 1.5.2 fixes those reported vulnerabilities. But we implemented some more security features to make phpMyFAQW more secure.

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist

jazcyk
Posts: 385
Joined: Wed Sep 07, 2005 1:32 pm

thanks for your answer

Post by jazcyk » Sun Sep 25, 2005 3:24 pm

Basically I was in the proces of upgrading from 1.5.0 to 1.5.1 when I discovered the vulnerability and the 1.5.2 release.

I think I'll take the latest nightly then!

Thanks again!

Post Reply