New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PyroCMS Static Private Key Lead to Object Injection Vuln. #3276

Closed
mmetince opened this Issue Apr 20, 2014 · 4 comments

Comments

Projects
None yet
2 participants
@philsturgeon

This comment has been minimized.

Show comment
Hide comment
@philsturgeon

philsturgeon Apr 24, 2014

Member

This is absolutely not the responsible way to report potential security issues. Our email address and contact forms are public, so you have no excuse.

Member

philsturgeon commented Apr 24, 2014

This is absolutely not the responsible way to report potential security issues. Our email address and contact forms are public, so you have no excuse.

@philsturgeon

This comment has been minimized.

Show comment
Hide comment
@philsturgeon

philsturgeon Apr 24, 2014

Member

Please take down your blog article and give me 48 hours to get a patch into the 2.2 and 2.3 branches. You can blog about it once that version is released if you really need the traffic that badly.

Member

philsturgeon commented Apr 24, 2014

Please take down your blog article and give me 48 hours to get a patch into the 2.2 and 2.3 branches. You can blog about it once that version is released if you really need the traffic that badly.

philsturgeon pushed a commit that referenced this issue Apr 24, 2014

@mmetince

This comment has been minimized.

Show comment
Hide comment
@mmetince

mmetince Apr 24, 2014

Of course I always contact with developers If vulnerability cause to the very serious things. But in PyroCMS case you can not bypass user authorization system via session array manipulation because of PyroCMS checks out permission from database instead of session. Also there is no way to magic method manipulation of classes because non one them does not use any __destruct or __wakeup method in dangerous way. I opened that ticket in order to block future attack vectors. So I don't need to say excuse, sir.

I took down blog post anyway.You've your 48 hours or much you need. I've just trying to contribute your open source app. If you need to reach blog post in patch process email to me : mehmet@mehmetince.net

mmetince commented Apr 24, 2014

Of course I always contact with developers If vulnerability cause to the very serious things. But in PyroCMS case you can not bypass user authorization system via session array manipulation because of PyroCMS checks out permission from database instead of session. Also there is no way to magic method manipulation of classes because non one them does not use any __destruct or __wakeup method in dangerous way. I opened that ticket in order to block future attack vectors. So I don't need to say excuse, sir.

I took down blog post anyway.You've your 48 hours or much you need. I've just trying to contribute your open source app. If you need to reach blog post in patch process email to me : mehmet@mehmetince.net

@philsturgeon

This comment has been minimized.

Show comment
Hide comment
@philsturgeon

philsturgeon Apr 24, 2014

Member

Thank you Mehmet.

I have a fix in 2.2.4 and am merging into 2.3/develop now, I’ll ping you when you can put the blog post back.

While there may not be any attack vectors right now, putting that out there is going to get people thinking about how they could attack it. Posting a blog article about it instead of just contacting us is generally considered bad practice, but I am very grateful for your cooperation. :)

Member

philsturgeon commented Apr 24, 2014

Thank you Mehmet.

I have a fix in 2.2.4 and am merging into 2.3/develop now, I’ll ping you when you can put the blog post back.

While there may not be any attack vectors right now, putting that out there is going to get people thinking about how they could attack it. Posting a blog article about it instead of just contacting us is generally considered bad practice, but I am very grateful for your cooperation. :)

philsturgeon pushed a commit that referenced this issue Apr 24, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment