Re: Vulnerability CVE-2008-3671 - MyReview's vulnerability in the access control system



Good Evening.

After having received you're message, I checked the new version of
myreview to see whether they took my pat into account (I sent them in
private) or not. Unfortunately, they didn't.

Besides, they didn't reply to my messages too. I've just sent them a
new message in case of ...

However, concerning any patch, I don't want to disclose one as I want
to let the myreview developers manage that. This is due to the nature
of the bugs :
- incorrect configuration of the project files. Though this could be
considered as an installation mistake, I think myreview developers
should consider it. They can correct that with an advanced
installation script or at least inform users about this problem
- correction of this bug require project updates, as some
functionalities would not be working if the mentioned correction is
made. This second point is clearly a task that has to be made by
myreview developers.

Besides, the link between the patch and the bug exploitation is
straightforward and I don't want to at the origin of attacks exploits
...

So I do not know what to do :
- patch disclosure may engender the generation of exploits
- patch non-disclosure do not solve the bug announced for the first
time 8 months ago ...

What do you think about that?

Best Regards,
Julien Thomas

On Mon, Mar 9, 2009 at 8:50 AM, <alexchf.fyp@xxxxxxxxx> wrote:
Is there any patch for the v1.9.9 to avoid this security issue?




--
-- Julien Thomas

Plus d'informations (projets, site personnel, ..) http://www.julienthomas.eu/