Hi everybody, There is a very inflammatory article about BOINC on the MDR website, which blames the University of Berkeley for not fixing security holes, which (in my opinion, but I'm not sure) are fixed. http://www.mdr.de/mdr-info/hacker-boinc100.html
In the (German, sorry) article I read that there is a very serious security hole in the current BOINC server software, which allows for (if I interpret the article correctly) SQL injection and even server access (I don't know how that should be possible, but I guess the source credible). The article says that "The responsible University of Berkeley only fixed this security hole on the servers of their own projects, but all the other projects are still open and in danger." (Original Text: Doch die zuständige Universität Berkeley in den USA schloss die Lücken nur für die eigenen Projekte – alle anderen sind noch immer offen und gefährdet.) The picture shows the recent php security vulnerability changeset, which was on our server a day after it went to git. Is this the security hole, which was reported by the security firm Unnex? I'm really sorry for the panic now, but is this article actually reporting about this old security hole, which indeed was fixed unlike reported in the article? Thanks, Timo -- (0x2b |~ 0x2b)^2 == 1 (Shakespeare) -- Karlsruhe Institute of Technology (KIT) Institute of Nanotechnology Timo Strunk Physicist Hermann-von-Helmholtz-Platz 1 Building 640, Room 0-215 76344 Eggenstein-Leopoldshafen, Germany Phone: +49 721 6082-8954 Fax: +49 721 6082-6368 Email: [email protected] http://www.int.kit.edu/ KIT – University of the State of Baden-Wuerttemberg and National Laboratory of the Helmholtz Association _______________________________________________ boinc_dev mailing list [email protected] http://lists.ssl.berkeley.edu/mailman/listinfo/boinc_dev To unsubscribe, visit the above URL and (near bottom of page) enter your email address.
