Hacker Newsnew | comments | ask | jobs | submitlogin
judofyr 462 days ago | link | parent

I think it's better to not discuss this openly for a few days. The exploit isn't obviously (as you've noticed) so hopefully users will be able to upgrade before the script kiddies discovers this.


jerf 462 days ago | link

Understood, and question withdrawn. Thanks for the answer. I look forward to your future public disclosure. (I mean that sincerely, not as a poke.)

-----

marshray 462 days ago | link

In the meantime, can you confirm that the disabling of XML and YAML inputs fully mitigates the RCE as well as the SQLi?

-----

tptacek 462 days ago | link

The vectors for both are the same. The term "SQLI" here is very misleading.

-----

judofyr 462 days ago | link

Yes.

-----




Lists | RSS | Bookmarklet | Guidelines | FAQ | DMCA | News News | Feature Requests | Bugs | Y Combinator | Apply | Library

Search: