Jorey Bump
list at joreybump.com
Mon Mar 14 23:37:33 EST 2005
Graham Dumpleton wrote: > I would be intrigued to know how you think you weren't affected at all > by the object traversal bug which was fixed in 3.1.4 if you were using > publisher. If you were exporting any function, or method of an object > you would have potentially been affected even if your code was stored > outside of the document tree. Assuming you mean CAN-2005-0088, I was affected, but I ran the exploit and it exposed nothing of value. > Are you still running 3.1.3 on your web site? No, I use 2.7.8 on my Debian Woody production servers, and it's been patched. My 3.1.x testing servers are up to date. > If you are, care to tell me > some URLs of exported methods in your web application so I can see what > I can find. Your most private data may not have been exposed if you > were indeed careful, but other internal data could still have been > which should not have. I can hear myself asking my boss, now: "There's a tenacious Australian bug hunter wants to probe our server..." :)
|