On Wed, Aug 19, 2009 at 02:40:46PM -0700, Jay Allen wrote: > Actually, I'm going to guess that this is the changeset you're looking for: > http://code.sixapart.com/trac/movabletype/changeset/3747/branches/fringale/lib/MT/App/Wizard.pm > > Apparently, you could run the wizard even if the config existed which I > SURMISE allowed you to run the config steps thereby possibly disclosing > information about your server. > > By the way, I have to heartily agree with Dominic, security bug (especially) > should be public after release so that administrators and mantainers have > educated knowledge of the ways in which their non-updated systems are > vulnerable. Mozilla, Apache and other open source projects handle this > very well and should be looked upon for a decent model.
Thanks for your insight. What I've decided to do is just disable the wizard in the default Debian setup (because it most cases it won't be that relevant) together with a warning not to make it generally accessible. Dominic. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
