[development] Irresponsible security researcher
Michael Prasuhn
mike at mikeyp.net
Wed May 13 21:16:37 UTC 2009
On May 13, 2009, at 8:01 AM, Greg Knaddison wrote:
> The specific SA where Justin did not get credit was another situation
> of making a compromise: the "vulnerability" was disclosed and nobody
> on the team felt it was important enough to fix personally. Justin
> and his employer were unwilling to allocate their resources to fix it.
>
> So, given that public disclosure had occurred and that the security
> team wasn't going to fix it and that we wanted to respond in a timely
> manner...we did a "public service announcement" reminding people that
> admin means admin.
While I'm not on the security team, I would like to point out that
Justin was also not the only person to report a possible XSS
vulnerability resulting from the 'administer content types' permission
prior to SA-CORE-2009-002 ;)
-Mike
* Please don't interpret this as my attempt to receive credit or any
such thing. The thought of attempting to receive credit for such an
obvious and commonly reported issue hadn't even crossed my mind until
now.
__________________
Michael Prasuhn
mike at mikeyp.net
http://mikeyp.net
More information about the development
mailing list