[pmwiki-users] suggestion for security notifications

Patrick R. Michaud pmichaud at pobox.com
Tue Sep 5 09:29:23 CDT 2006

On Tue, Sep 05, 2006 at 03:11:26PM +0200, Dominique Faure wrote:
> On 9/5/06, Neil Herber <nospam at eton.ca> wrote:
> > So please, if you have found a vulnerability of any type, send a
> > *private* email to Patrick first and discuss it with him.
> >
> > No sense in giving the bad guys a head start.
> According to original discoverer site [1] and PmWiki change log[2]
> this is a quite old vulnerability, which has already been taken in
> account.
> [1] http://www.ush.it/2006/01/24/pmwiki-multiple-vulnerabilities/
> [2] http://www.pmwiki.org/wiki/PmWiki/ChangeLog

Actually, the isc.org announcement is a new unreported vulnerability, 
that is being actively exploited.  

The change in January [1, 2 above] did indeed take care of the 
vulnerability as it appeared then, but a new attack vector has 
been discovered that is somewhat related to the previous one.

All I can say is that 'register_globals' is totally evil.


More information about the pmwiki-users mailing list