Re: Vulnerability CVE-2008-3671 - MyReview's vulnerability in the access control system

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Vulnerability CVE-2008-3671 - MyReview's vulnerability in the access control system
From: Julien Thomas <julien.thomas.1@xxxxxxxxx>
Date: Mon, 9 Mar 2009 19:51:07 +0100
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=hcKLzfZE3L70eoFaHMh0tjr/N89wQJSPF7zkZcSblqY=; b=kybXRCd4ffHLFeRdN0hHffbaaJUk5Sy/koDTE8cWvmufg3GymNiX09Qc+gdWnXVaXN cynpQiIQGOcj+bttwOyDMWMWQPe5nj5XM2/buWi+iWrCD7VhLZhYWMIxCCbXrTK83RVG I+OEDbXsLajPvgizM+SScJzfp7yjuhG6MA6x8=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=f56RQWjxebOMqqkM9hb35/8H7FVFQscMV0PLS1jR7cmfjRYC9QROzzncecAdcGQlbA soeIEIfo166/eNwbmW/Xa+e5WJ3kRb/rUwOBL2ilalBmPjA+Etn/il/co4JvRXyYuKd4 BoAEIdfSsm/LN2bsP+EAXG7cdcZ76Acd8+Exo=
In-reply-to: <200903090750.n297o3BK027397@xxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <200903090750.n297o3BK027397@xxxxxxxxxxxxxxxxxxxxxx>

Good Evening.

After having received you're message, I checked the new version of
myreview to see whether they took my pat into account (I sent them in
private) or not. Unfortunately, they didn't.

Besides, they didn't reply to my messages too. I've just sent them a
new message in case of ...

However, concerning any patch, I don't want to disclose one as I want
to let the myreview developers manage that. This is due to the nature
of the bugs :
- incorrect configuration of the project files. Though this could be
considered as an installation mistake, I think myreview developers
should consider it. They can correct that with an advanced
installation script or at least inform users about this problem
- correction of this bug require project updates, as some
functionalities would not be working if the mentioned correction is
made. This second point is clearly a task that has to be made by
myreview developers.

Besides, the link between the patch and the bug exploitation is
straightforward and I don't want to at the origin of attacks exploits
...

So I do not know what to do :
- patch disclosure may engender the generation of exploits
- patch non-disclosure do not solve the bug announced for the first
time 8 months ago ...

What do you think about that?

Best Regards,
Julien Thomas

On Mon, Mar 9, 2009 at 8:50 AM,  <alexchf.fyp@xxxxxxxxx> wrote:
> Is there any patch for the v1.9.9 to avoid this security issue?
>



-- 
-- Julien Thomas

Plus d'informations (projets, site personnel, ..) http://www.julienthomas.eu/

References:
- Re: Vulnerability CVE-2008-3671 - MyReview's vulnerability in the access control system
  - From: alexchf . fyp

Prev by Date: Belkin BullDog Plus UPS-Service Buffer Overflow Vulnerability
Next by Date: [ GLSA 200903-21 ] cURL: Arbitrary file access
Previous by thread: Re: Vulnerability CVE-2008-3671 - MyReview's vulnerability in the access control system
Next by thread: Maran PHP Blog Xss By Khashayar Fereidani
Index(es):
- Date
- Thread