Please login or register.

Login with username, password and session length
Advanced search  

News:

You need/want an older version of sNews ? Download an older/unsupported version here.

Author Topic: Security issues  (Read 957 times)

codetwist

  • Hero Member
  • *****
  • Karma: 50
  • Posts: 940
Security issues
« on: December 31, 2007, 04:29:32 pm »

I have published disclosure of security issue with current MU distribution here (affected versions are default snews MU distribution as well as its derivative package snews MEMU); afterwards added fix as well.

However, dudes removed disclosure and fix from public access. Alright, I'm not going repost it here; but it will be posted publicly anyway.
Logged

Keyrocks

  • Doug
  • ULTIMATE member
  • ******
  • Karma: 449
  • Posts: 6019
  • Semantically Challenged
    • snews.ca
Re: Security issues
« Reply #1 on: December 31, 2007, 05:43:42 pm »

The issue noted above... and the "fix" offered... are located here in public view.
Logged
Do it now... later may not come.
-------------------------------------------------------------------------------------------------
sNews 1.6 MESU | sNews 1.6 MEMU

Joost

  • Guest
Re: Security issues
« Reply #2 on: December 31, 2007, 07:42:23 pm »

@Codetwist

It was I that suggested to remove the post (temporarily) and Keyrocks responded to that.
I do think that disclosing a security threat, without informing developers upfront, is not good practice (Yes you are right: Neither is bad coding ;) ).

Take into consideration that the sNews community is not equipped to patch and release a new version within hours. Neither is there a system to distribute the package fast, without making public that the previous package contains a security hole. Only for that reason, security through obscurity might be helpful. The full disclosure of the issue could have been done later, after a reasonable amount of time.

I would like to turn this into a constructive discussion. How do we round this up and how do we deal with similar issues in the future? With "we" I mean everyone: Members, Dudes, moderators, administrators and developers.
I like to hear.

And no matter what, I am still grateful that Codetwist found the hole. So thanks Codetwist. ;)

Logged

Fred K

  • Still trying to learn stuff
  • ULTIMATE member
  • ******
  • Karma: 130
  • Posts: 2728
    • Personal
Re: Security issues
« Reply #3 on: December 31, 2007, 10:09:55 pm »

We don't really have a system in place for this type of possibly sensitive information, so in a sense it's perfectly understandable that the original alert was posted "in the open". I do think however, even if sNews is an open source project, that it's better to send certain types of bug reports first to the Lead Developer and/or his Merry Band of Cohorts (um, that'd be us Dudes...). If nothing happens in a reasonable amount of time, then a public post is warranted.

Exactly what type of bug reports to send instead of posting openly? Well, security vulnerabilities. That's about it. 8)
The object would be to minimize the risk of the info falling into wrong hands, even if the risk is always there anyway.

That said, I think everyone's happy that the hole was found and reported, and I hope this little hoo-ha doesn't stop anyone from future reportings. That'd be a shame.

Also, codie, there was no snub intended towards you, I can assure you. Only a concern about sensitive info being displayed openly. That's all.
Logged

Rui Mendes

  • Development,Testing, Support
  • Hero Member
  • *****
  • Karma: 195
  • Posts: 1009
  • sNews1.7
    • Comunidade Portuguesa
Re: Security issues
« Reply #4 on: January 01, 2008, 03:56:52 am »

@Codetwist.

Thank you very much, I think we are very grateful that you found the hole.

So thanks Codetwist,
and Happy New Year for you and your family.
Logged
Need a Job on Europe. Linkdin - Facebook / Group