Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Vulnerabilities
#1
Just bumped into this advisory released last week:

http://secunia.com/advisories/40428
- Julian

My GetSimple Plugins: Simple Image Gallery | TweetMeme reTweet Button
Reply
#2
Interesting, I’m going to be forwarding this to Chris.

I’ll also try them out, but it feels like only one of them is feasible because everything else makes use of files in the admin directory and those PHP files should just redirect to the login form when you’re not logged in. If you are logged in when doing this, well frankly, you’d be an idiot because you can just use the upload panel to upload a PHP file to take control of anything on the server.
“Don’t forget the important ˚ (not °) on the a,” says the Unicode lover.
Help us test a key change for the core! ¶ Problems with GetSimple? Be sure to enable debug mode!
Reply
#3
Putting this up here so you all know where we stand on this, I just received this email back from Mike (n00dles):
Mike Wrote:Yeah saw those the other day, tried MOST of them and yes you do need to be logged in for them to work.
So unless you’re afraid of hacking into your own GetSimple installation after having logged in these aren’t the highest priority vulnerabilities ever to be discovered.

Of course we will be looking into this, but it’s not really a matter of concern for current live websites.
“Don’t forget the important ˚ (not °) on the a,” says the Unicode lover.
Help us test a key change for the core! ¶ Problems with GetSimple? Be sure to enable debug mode!
Reply




Users browsing this thread: 3 Guest(s)