> I can't really comment on your situation because I wasn't there... But I
> think that sometimes it's prudent to keep such security problems
> "secret" until a solution is found.
> Discussing them (and their solutions) on mailing lists and such is one
> thing, but publicly announcing the problem to the world just opens up
> every (in this case) Twiki installation to being hacked by would-be hackers.
Fixing the bug was easy, and iirc we also provided a fix within the
advisory. What should probably also be mentioned is that a few months
later, a new error of the same kind (using unchecked user input for
shell execution) was found in twiki. And iirc later such a hole was
found once again. So this makes in total at least three occurences
of a very stupid bug. It is known and preached for years not to trust
user input. A responsible author should have checked his code for more
occurences after the first hole was discovered in my opinion. Also the
first bugs have been known by blackhats (and widely abused) for at
least five weeks before, so stalling the advisory didn't helped in any
way, because machines around the world where owned in the meanwhile.
However the bugs of twiki are offtopic here. If a majority feels that
twiki is the solution for qpsmtpd and someone is willing to operate a
twiki installation despite my security concerns, please feel free to
do so. I can provide you with the data from the dokuwiki (if needed)
and i would then let wiki.qpsmtpd.org point to the new machine. But
no installation of twiki is going to happen on any of my machines as
a general decision. If someone else is willing to do this, i'm very
fine with that. I will continue to sponsor the qpsmtpd.org domain,
but i have no problem at all with someone else operating the wiki.
Regards
Michael
--
It's an insane world, but i'm proud to be a part of it. -- Bill Hicks
