phpMyFAQ 1.5.1 vulns

In this board you can talk about general questions about phpMyFAQ

Moderator: Thorsten

Post Reply
severud
Posts: 10
Joined: Thu Jun 30, 2005 8:11 pm

phpMyFAQ 1.5.1 vulns

Post by severud »

Perhaps I missed it. Is there any comment on the security issues reported to bugtraq at http://rgod.altervista.org/phpmyfuck151.html ?
Thorsten
Posts: 15560
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Post by Thorsten »

Hi,

I know it about some hours and I'll release a new version with all fixes the next hour. I would like to put emphasis on the disappointment I feel when a bugreporter does not contact the author of a software first, before posting any exploits. The common way to report this, is to give the developers a reasonable amount of time to respond to an exploit before it is made public.

:-(

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
ljvd
Posts: 21
Joined: Tue Aug 17, 2004 8:53 am
Location: Paris , France
Contact:

Post by ljvd »

Thanks for your reactivity ;-)

Due to the succes of PhpMyFaq, perhaps could you create an alert mailing list ?

Best Regards,
Laurent J.V. Dubois
Your French Sales Partner
Thorsten
Posts: 15560
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Post by Thorsten »

Hi,

I think about a mailinglist. You can also subscribe to Freshmeat there I release all phpMyFAQ versions all the time.

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
jazcyk
Posts: 385
Joined: Wed Sep 07, 2005 1:32 pm

Don't show version information!

Post by jazcyk »

Let me propose for the future that phpmyfaq does NOT show version information. It is too easy to construct a robot that finds all vulnerable installations.

phpbb2 removed version information for the same reason.

It is sufficient that the admin panels shows it!
Thorsten
Posts: 15560
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Post by Thorsten »

Hi,
Let me propose for the future that phpmyfaq does NOT show version information. It is too easy to construct a robot that finds all vulnerable installations.
this is security by obscurity and does not work. I know that phpBB2 did that.

I stopped integrating new features and I'm working with some PHP developers including two PHP core developers to make phpMyFAQ as secure as possible. The nightly build from today already has patches against possible XSS implemented.

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
jazcyk
Posts: 385
Joined: Wed Sep 07, 2005 1:32 pm

Post by jazcyk »

The nightly build from today already has patches
Does that mean that 1.5.2 has the same vulnerability as 1.5.1 ?
Thorsten
Posts: 15560
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Post by Thorsten »

Hi,

no, 1.5.2 fixes those reported vulnerabilities. But we implemented some more security features to make phpMyFAQW more secure.

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
jazcyk
Posts: 385
Joined: Wed Sep 07, 2005 1:32 pm

thanks for your answer

Post by jazcyk »

Basically I was in the proces of upgrading from 1.5.0 to 1.5.1 when I discovered the vulnerability and the 1.5.2 release.

I think I'll take the latest nightly then!

Thanks again!
Post Reply