Hacker News new | past | comments | ask | show | jobs | submit login

I think it's better to not discuss this openly for a few days. The exploit isn't obviously (as you've noticed) so hopefully users will be able to upgrade before the script kiddies discovers this.

Understood, and question withdrawn. Thanks for the answer. I look forward to your future public disclosure. (I mean that sincerely, not as a poke.)

In the meantime, can you confirm that the disabling of XML and YAML inputs fully mitigates the RCE as well as the SQLi?

The vectors for both are the same. The term "SQLI" here is very misleading.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact