Hacker Newsnew | comments | ask | jobs | submitlogin
judofyr 462 days ago | link | parent

I think it's better to not discuss this openly for a few days. The exploit isn't obviously (as you've noticed) so hopefully users will be able to upgrade before the script kiddies discovers this.

jerf 462 days ago | link

Understood, and question withdrawn. Thanks for the answer. I look forward to your future public disclosure. (I mean that sincerely, not as a poke.)


marshray 462 days ago | link

In the meantime, can you confirm that the disabling of XML and YAML inputs fully mitigates the RCE as well as the SQLi?


tptacek 462 days ago | link

The vectors for both are the same. The term "SQLI" here is very misleading.


judofyr 462 days ago | link



Lists | RSS | Bookmarklet | Guidelines | FAQ | DMCA | News News | Feature Requests | Bugs | Y Combinator | Apply | Library