New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SECURITY] Discovered vulnerability #670
Comments
|
Please send me a private message. Email, Gitter, Telegram, whatever you prefer. |
|
Ok, I send you a report by Telegram |
|
@javier can you PM me the details? I am going to deploy some of this code base into my companies infrastructure and we need to maintain PCI |
|
@amcguirebootster You can deploy the software in your company, if you want more details please contact |
|
is fixed? this installed on my mining pool server :) |
|
@amcguirebootster The vulnerability can not be published, an attacker could take advantage of it, wait for a new version or patch. |
|
@amcguirebootster If it were published it would be fixed by now and our servers would be secure... This is github. Post it so we can patch it ourselves, and make a PR This is the most lengthy response to a security threat. It should have been patched by now if it is that big of a threat (or release a patch for us to use) I am removing this from my server, I cannot risk my servers. I will just hack my own shellscript to do this Good day |
|
My sincere apologies to all of you waiting! I do realise that a patch must be released as soon as possible, I just haven't had the time. I will release the patch later this evening (CET). @leshacat A vulnerability doesn't get disclosed before a patch is in place. Not disclosing it gives the maintainers the time to create the patch before bad people can exploit the vulnerability. I do need to say that this patch should have been there sooner. Sad to see you go. |
View #670 for full vulnerability disclosure.
Vulnerability disclosure:Found by: @JavierOlmedo Vulnerability: An attacker could remove users, logs, and servers through a CSRF attack. Changes: When removing users, logs, and server, a CSFR-token will be sent with the URL. This token will be verified and the request will either pass or get denied. The patch has been pushed as 3015071 to issue/670 based on v3.3.1 and released as v3.3.2. |
|
If there are any questions, feel free to ask |
|
@TimZ99 you are awesome <3 pulling this now :D |
|
@TimZ99 The website is a little outdated. It displays 3.2.0 as latest version. |
Hi,
Please, how can I report a vulnerability?
regards
The text was updated successfully, but these errors were encountered: