[pkg-mt-om-devel] Bug#697666: Bug#697666: movabletype-opensource: mt-upgrade.cgi vulnerability
Yves-Alexis Perez
corsac at debian.org
Sat Jan 19 19:18:10 UTC 2013
On mar., 2013-01-08 at 18:04 +0000, Dominic Hargreaves wrote:
> Security team, shall I upload to security-master?
Yes, please.
>
> It might be useful in a DSA to recommend restricting the
> mt-upgrade.cgi
> script to trusted IP addresses, but I don't think it's something we
> can do by default, as browser accesss to mt-upgrade.cgi is needed to
> complete upgrades.
To be honest, I'd be comfortable to restrict it to 127.0.0.1/::1 but
that's not really something we can change on a stable update.
Regards,
--
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-mt-om-devel/attachments/20130119/6cdf15e6/attachment.pgp>
More information about the pkg-mt-om-devel
mailing list