Hello list. Some time ago i discovered several security issues, both in PmWiki, and in the UserAuth2 recipe. In some of those cases i think the design wasn't optimal for security, and in another case it was a very real bug which could cause major site ownage. Each time, I tried to contact PM and Thomas Pitschel respectively, emailing PM is what I'm supposed to do according to http://pmwiki.org/wiki/PmWiki/Security . I sent them messages via Freenode as well. But nope, I have not yet received any reply.
I don't believe in pulic disclosure of security vulnerabilities. That creates unnecessary risks for site admins who are slow to update their installations. But when the project maintainers don't seem to listen to me, what am I supposed to do? I want the code to be fixed ASAP, if the bugs are worth taking seriously. And feedback from the maintainers even if it's just false alarm. I have fixed the issues on _my_ server, i just want to help improve PmWiki's security for _other_ users. Public disclosure wont do that. Once again, PM and Thomas, please read the emails i've sent you. Thanks. //Olle Bergkvist _______________________________________________ pmwiki-users mailing list pmwiki-users@pmichaud.com http://www.pmichaud.com/mailman/listinfo/pmwiki-users
