Y
Hacker News
new
|
ask
|
show
|
jobs
by
judofyr
4906 days ago
I think it's better to not discuss this openly for a few days. The exploit isn't obviously (as you've noticed) so hopefully users will be able to upgrade before the script kiddies discovers this.
2 comments
jerf
4906 days ago
Understood, and question withdrawn. Thanks for the answer. I look forward to your future public disclosure. (I mean that sincerely, not as a poke.)
link
marshray
4906 days ago
In the meantime, can you confirm that the disabling of XML and YAML inputs fully mitigates the RCE as well as the SQLi?
link
tptacek
4906 days ago
The vectors for both are the same. The term "SQLI" here is very misleading.
link
judofyr
4906 days ago
Yes.
link