Good Evening. After having received you're message, I checked the new version of myreview to see whether they took my pat into account (I sent them in private) or not. Unfortunately, they didn't. Besides, they didn't reply to my messages too. I've just sent them a new message in case of ... However, concerning any patch, I don't want to disclose one as I want to let the myreview developers manage that. This is due to the nature of the bugs : - incorrect configuration of the project files. Though this could be considered as an installation mistake, I think myreview developers should consider it. They can correct that with an advanced installation script or at least inform users about this problem - correction of this bug require project updates, as some functionalities would not be working if the mentioned correction is made. This second point is clearly a task that has to be made by myreview developers. Besides, the link between the patch and the bug exploitation is straightforward and I don't want to at the origin of attacks exploits ... So I do not know what to do : - patch disclosure may engender the generation of exploits - patch non-disclosure do not solve the bug announced for the first time 8 months ago ... What do you think about that? Best Regards, Julien Thomas On Mon, Mar 9, 2009 at 8:50 AM, <alexchf.fyp@xxxxxxxxx> wrote: > Is there any patch for the v1.9.9 to avoid this security issue? > -- -- Julien Thomas Plus d'informations (projets, site personnel, ..) http://www.julienthomas.eu/
