[pkg-mt-om-devel] Bug#697666: Bug#697666: Bug#697666: movabletype-opensource: mt-upgrade.cgi vulnerability
Dominic Hargreaves
dom at earth.li
Sun Jan 20 21:28:51 UTC 2013
On Sat, Jan 19, 2013 at 08:18:10PM +0100, Yves-Alexis Perez wrote:
> On mar., 2013-01-08 at 18:04 +0000, Dominic Hargreaves wrote:
> > Security team, shall I upload to security-master?
>
> Yes, please.
Okay, done.
> > It might be useful in a DSA to recommend restricting the
> > mt-upgrade.cgi
> > script to trusted IP addresses, but I don't think it's something we
> > can do by default, as browser accesss to mt-upgrade.cgi is needed to
> > complete upgrades.
>
> To be honest, I'd be comfortable to restrict it to 127.0.0.1/::1 but
> that's not really something we can change on a stable update.
That is likely to render the site inoperable following an upgrade
with a schema change, because an admin has to log in with their
browser and get redirected to mt-upgrade.cgi. They're advised of
this possibility with a debconf note, but I still think it's risky
to lock peple out of doing this by default.
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
More information about the pkg-mt-om-devel
mailing list