Re: [Bug 64402] New: mr.vta

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 5/1/20 04:49, Mark Thomas wrote:
>> Reporter: mblehkos...@gmail.com
>
> Yet another "security researcher" that failed to notice that if you
> try and upload an attachment with MIME type text/html our Bugzilla
> instances will always render it as text/plain.
>
> I'd mind less if these folks actually checked if the attack worked
> and then apologied for wasting our time when they found it didn't.
>
> I've disabled this idiot's account.
>
> I'll delete the issue shortly.

Actually, I think you should leave the issue in BZ and we can
encourage the community to laugh at them for claiming "victory" for a
hack that didn't occur.

Kinda like laughing at the small anatomy of people who "zoom bomb"
meetings.

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl6sTl8ACgkQHPApP6U8
pFg0nBAAyWvD3GNP974gy9RY4ur6cXlxN9sEibJ3kXGgKsIAeDD4uMdCJMTGUMOR
zh8lspJulxgdTRCacne/PUWqOL8LU2n0SLKw8VAMgH/nxeEFBd4g/zBJY4sj7918
RySlisHU6deMfvaRFMoaJu4/v2Xt9R4/GwDYFR2e4jUirqHNbIB7o+235XvNVLDe
nPeKYoPcjimTvhHyVDPS0fbr2UdlauFjxYbHhz5qvbCQqC2fDpiCNPzulZme9C4v
ZoBJPUiM3DFJG/10ix+cRPds/6RhLguWq+bYjUGZpnp4VnCt8cRDnVkr/MX8xM4g
sFGtFuRhR0gMDWNwy6yw2uyueOSzjgjsJCrbAV9lm27rGEAaGwtKUTkhYxdQlx3r
FE5gMPMlzhNqIiNNo75+1/MoqA0zPPmt3WZpGJRIKxuvGmO7bM/3pZ+6db0bgeUt
BcLtxAKp0q3zd+uK3mkBiRccasb3As6q4iSruTYB1uHD+yIpflXbgZqUGQfHnYRT
IZfjw6b5xtfAguu5EG1rihfTVsKkXiSNbFGkhacfBLWRsYYf3hXD3n6qrrvYRH5A
40hKN+4YLVGYtbU25ihpBMiAaewK81CzjyeOzMmKnXg5+GqC7/bA1bF6IxwJ75if
W4FEleeO+m+FfeP6qDy8k3Dj7w6dEUxq6aCoNd8XTjd3BtuW3JY=
=ocmV
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [Bug 64402] New: mr.vta

[Mark Thomas]

>   Reporter: mblehkos...@gmail.com

Yet another "security researcher" that failed to notice that if you try
and upload an attachment with MIME type text/html our Bugzilla instances
will always render it as text/plain.

I'd mind less if these folks actually checked if the attack worked and
then apologied for wasting our time when they found it didn't.

I've disabled this idiot's account.

I'll delete the issue shortly.

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 64402] New: mr.vta

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=64402

Bug ID: 64402
   Summary: mr.vta
   Product: Tomcat 10
   Version: unspecified
  Hardware: All
OS: Linux
Status: NEW
  Severity: enhancement
  Priority: P2
 Component: Authentication
  Assignee: dev@tomcat.apache.org
  Reporter: mblehkos...@gmail.com
  Target Milestone: --

Created attachment 37211
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=37211=edit
bugzilla

mr.vta

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org