On May 13, 2009, at 8:01 AM, Greg Knaddison wrote:
The specific SA where Justin did not get credit was another situation of making a compromise: the "vulnerability" was disclosed and nobody on the team felt it was important enough to fix personally. Justin and his employer were unwilling to allocate their resources to fix it.
So, given that public disclosure had occurred and that the security team wasn't going to fix it and that we wanted to respond in a timely manner...we did a "public service announcement" reminding people that admin means admin.
While I'm not on the security team, I would like to point out that Justin was also not the only person to report a possible XSS vulnerability resulting from the 'administer content types' permission prior to SA-CORE-2009-002 ;) -Mike * Please don't interpret this as my attempt to receive credit or any such thing. The thought of attempting to receive credit for such an obvious and commonly reported issue hadn't even crossed my mind until now. __________________ Michael Prasuhn mike@mikeyp.net http://mikeyp.net