I changed the token to also be based on the password of the user in git master and stable, this should be enough to prevent against this kind of attacks since trying to brute-force the token while you know the password seems kind of redundant :)
Despite the maybe unfortunate way of making the issue public, many thanks for taking a look into ownCloud security. - Robin Appelman On Wed, Dec 14, 2011 at 10:43, Marc Muehlfeld <[email protected]> wrote: > Hi, > > maybe it's better to send the details of vulnerables only to the team > members and not to the list. If to detailed information are public it > increases the risk of attacks until a fix is available. > > Maybe the team can provide a separate email address for security on the > homepage until a bugtracker exists which allows to mark bugs as > not-public-visible. > > Regards, > Marc > > _______________________________________________ > Owncloud mailing list > [email protected] > https://mail.kde.org/mailman/listinfo/owncloud _______________________________________________ Owncloud mailing list [email protected] https://mail.kde.org/mailman/listinfo/owncloud
