From: techtonik <tec...@us...> - 2007-03-30 06:26:08
|
On 3/29/07, ja...@so... <ja...@so...> wrote: > > Fair enough then. Go ahead and build a CMS/Wiki from scratch that is up to > your security standards, find a host that is up to your snuff, pay for it, > and put up the site. I don't have the time to continue arguing about > imagined security holes. I see you point, but give me one last favor to assure you that this hole is not imagined - it is real and you may try it for yourself. If it was imagined hole I would not bother myself with this discussion. It seems like this behaviour of SF is intentional. At least the fact that during all these years nothing changed so far allows me to think in this way. Although everything they do for Open Source is a great favor for OS community, sometimes community and SF need to elaborate. There are many ways to enhance security and resources control as any hosting does. To conclude and make outcome of the discussion. We do not have other choice and should stick to SF - our only way to preserve independence and avoid dragging somebody into financial expenses. The security problem is considered minor and is unlikely to be exploited by members of SF. We do not have means to detect security breach, but in case of something serious we can be notified by users. We still do not have any backup scheme. In the end it doesn't worth to implement any complicated backup and security detection schemes. Everybody is aware of the problem and that is enough to act when some obscure problems arise. Correct me if I missed something. -- --anatoly t. |
From: Earnie B. <ea...@us...> - 2007-03-30 11:54:08
|
Quoting techtonik <tec...@us...>: > > Correct me if I missed something. > You missed the fact that we have had enough of the banter. Earnie -- http://for-my-kids.com |
From: <ja...@so...> - 2007-03-30 21:53:27
|
techtonik writes: > I see you point, but give me one last favor to assure you that this > hole is not imagined - it is real and you may try it for yourself. If > it was imagined hole I would not bother myself with this discussion. > Sorry, I didn't mean that the SourceForge problem was imagined, I do believe you on that. I meant that I don't believe Drupal has any significant XSS problems. The horse has been sufficiently beaten. :) --Jason A. Craig |
From: techtonik <tec...@us...> - 2007-04-01 05:56:47
|
On 3/30/07, ja...@so... <ja...@so...> wrote: > techtonik writes: > > I see you point, but give me one last favor to assure you that this > > hole is not imagined - it is real and you may try it for yourself. If > > it was imagined hole I would not bother myself with this discussion. > > > > Sorry, I didn't mean that the SourceForge problem was imagined, I do believe > you on that. I meant that I don't believe Drupal has any significant XSS > problems. The horse has been sufficiently beaten. :) It doesn't have any significant XSS problems if your database is secured, but in this case of SQL injection vulnerability I am curious if XSS is also possible. -- --anatoly t. |
From: Keith M. <kei...@us...> - 2007-04-01 14:24:27
|
On Sunday 01 April 2007 06:56, techtonik wrote: > On 3/30/07, ja...@so... <ja...@so...> wrote: > > techtonik writes: > > > I see you point, but give me one last favor to assure you that > > > this hole is not imagined - it is real and you may try it for > > > yourself. If it was imagined hole I would not bother myself with > > > this discussion. > > > > Sorry, I didn't mean that the SourceForge problem was imagined, I > > do believe you on that. I meant that I don't believe Drupal has > > any significant XSS problems. The horse has been sufficiently > > beaten. :) > > It doesn't have any significant XSS problems if your database is > secured, but in this case of SQL injection vulnerability I am curious > if XSS is also possible. Please, guys. It's time to put an end to this bickering. Anatoly, you have cried `Wolf!' too often. Thanks, Keith. |