phpMyFAQ 1.5.1 vulns
Moderator: Thorsten
phpMyFAQ 1.5.1 vulns
Perhaps I missed it. Is there any comment on the security issues reported to bugtraq at http://rgod.altervista.org/phpmyfuck151.html ?
Hi,
I know it about some hours and I'll release a new version with all fixes the next hour. I would like to put emphasis on the disappointment I feel when a bugreporter does not contact the author of a software first, before posting any exploits. The common way to report this, is to give the developers a reasonable amount of time to respond to an exploit before it is made public.
bye
Thorsten
I know it about some hours and I'll release a new version with all fixes the next hour. I would like to put emphasis on the disappointment I feel when a bugreporter does not contact the author of a software first, before posting any exploits. The common way to report this, is to give the developers a reasonable amount of time to respond to an exploit before it is made public.
bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
amazon.de Wishlist
Thanks for your reactivity
Due to the succes of PhpMyFaq, perhaps could you create an alert mailing list ?
Best Regards,
Due to the succes of PhpMyFaq, perhaps could you create an alert mailing list ?
Best Regards,
Laurent J.V. Dubois
Your French Sales Partner
Your French Sales Partner
Hi,
I think about a mailinglist. You can also subscribe to Freshmeat there I release all phpMyFAQ versions all the time.
bye
Thorsten
I think about a mailinglist. You can also subscribe to Freshmeat there I release all phpMyFAQ versions all the time.
bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
amazon.de Wishlist
Don't show version information!
Let me propose for the future that phpmyfaq does NOT show version information. It is too easy to construct a robot that finds all vulnerable installations.
phpbb2 removed version information for the same reason.
It is sufficient that the admin panels shows it!
phpbb2 removed version information for the same reason.
It is sufficient that the admin panels shows it!
Hi,
I stopped integrating new features and I'm working with some PHP developers including two PHP core developers to make phpMyFAQ as secure as possible. The nightly build from today already has patches against possible XSS implemented.
bye
Thorsten
this is security by obscurity and does not work. I know that phpBB2 did that.Let me propose for the future that phpmyfaq does NOT show version information. It is too easy to construct a robot that finds all vulnerable installations.
I stopped integrating new features and I'm working with some PHP developers including two PHP core developers to make phpMyFAQ as secure as possible. The nightly build from today already has patches against possible XSS implemented.
bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
amazon.de Wishlist
Hi,
no, 1.5.2 fixes those reported vulnerabilities. But we implemented some more security features to make phpMyFAQW more secure.
bye
Thorsten
no, 1.5.2 fixes those reported vulnerabilities. But we implemented some more security features to make phpMyFAQW more secure.
bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
amazon.de Wishlist
thanks for your answer
Basically I was in the proces of upgrading from 1.5.0 to 1.5.1 when I discovered the vulnerability and the 1.5.2 release.
I think I'll take the latest nightly then!
Thanks again!
I think I'll take the latest nightly then!
Thanks again!