Sweetey, most people here, if not all, use MyBB.
They did nothing wrong. If you made a public post with a vulnerability we would unapprove the thread/post until we could push out a release. Obviously you wouldn't want the vulnerability spread in public without a patch for your users.
Also not to mention, there are official and speedier ways to report vulnerabilities. They have their own official methods of communicating reported security vulnerabilities as do we.
SMF was not hiding anything. They discussed it via PM if you read the topic. Doesn't quite make sense to have a vulnerability posted on forums as hackers can obtain it. I'm sure myBB would do the same.
Really bad argument if your trying to target SMF.
They obviously did the right thing as Ryan said. They should have pmed him about it though.
(2008-11-06, 09:30 PM)rcpalace Wrote: [ -> ]They obviously did the right thing as Ryan said. They should have pmed him about it though.
Probably not the first priority in their minds at the time.
(2008-11-06, 10:22 PM)rh1n0 Wrote: [ -> ] (2008-11-06, 09:30 PM)rcpalace Wrote: [ -> ]They obviously did the right thing as Ryan said. They should have pmed him about it though.
Probably not the first priority in their minds at the time.
Ya, I suppose exploit comes first. But as everyone else said I see nothing wrong. SMF does have a good security track record and I don't see this really hurting them to much.
That just goes to show what kind of clientele they cater to. LoL.
Quote:Obviously you wouldn't want the vulnerability spread in public without a patch for your users.
IMHO if it's published at milw0rm it's already public. It's likely every hacker is aware while the admins of the forum software are the clueless ones.
You don't want a new exploit posted but certainly something at milw0rm needs to be immediately addressed and deleting it from the forum doesn't delete it from milw0rm. I think SMF did the wrong thing here in this instance.
At least that's my take. Admins need to know a public exploit exists so they can do immediate backups or possibly disable functions. This exploit even requires tricking an admin into viewing an attachment. Even more reasons for admins to be aware. One thing I would immediately do is lower my own access and remove any other admins access until it was corrected.
I can understand what you're saying, labrocca. But in this case, it appears that in order for forums to be safe from the exploit they have to do some manual code editing. Many users may not be comfortable with this, and in a rush to keep their board secure, are more likely to screw things up. I don't think they need to deal with people posting that they've stuffed up the manual edits and have tried re-installing but now all their threads/posts/users are gone.
It's a difficult situation really..