2010-07-20, 04:35:34
2010-07-20, 04:46:15
Interesting, I’m going to be forwarding this to Chris.
I’ll also try them out, but it feels like only one of them is feasible because everything else makes use of files in the admin directory and those PHP files should just redirect to the login form when you’re not logged in. If you are logged in when doing this, well frankly, you’d be an idiot because you can just use the upload panel to upload a PHP file to take control of anything on the server.
I’ll also try them out, but it feels like only one of them is feasible because everything else makes use of files in the admin directory and those PHP files should just redirect to the login form when you’re not logged in. If you are logged in when doing this, well frankly, you’d be an idiot because you can just use the upload panel to upload a PHP file to take control of anything on the server.
2010-07-20, 05:29:38
Putting this up here so you all know where we stand on this, I just received this email back from Mike (n00dles):
Of course we will be looking into this, but it’s not really a matter of concern for current live websites.
Mike Wrote:Yeah saw those the other day, tried MOST of them and yes you do need to be logged in for them to work.So unless you’re afraid of hacking into your own GetSimple installation after having logged in these aren’t the highest priority vulnerabilities ever to be discovered.
Of course we will be looking into this, but it’s not really a matter of concern for current live websites.