On May 13, 2009, at 8:01 AM, Greg Knaddison wrote:
The specific SA where Justin did not get credit was another situation
of making a compromise: the "vulnerability" was disclosed and nobody
on the team felt it was important enough to fix personally. Justin
and his employer were unwilling to allocate their resources to fix it.
So, given that public disclosure had occurred and that the security
team wasn't going to fix it and that we wanted to respond in a timely
manner...we did a "public service announcement" reminding people that
admin means admin.
While I'm not on the security team, I would like to point out that
Justin was also not the only person to report a possible XSS
vulnerability resulting from the 'administer content types' permission
prior to SA-CORE-2009-002 ;)
-Mike
* Please don't interpret this as my attempt to receive credit or any
such thing. The thought of attempting to receive credit for such an
obvious and commonly reported issue hadn't even crossed my mind until
now.
__________________
Michael Prasuhn
m...@mikeyp.net
http://mikeyp.net
