Hi. On Mon, 2013-03-18 at 19:43 +1300, Andrew McMillan wrote: > Also worth noting that there is a (non-default) configuration setting > that restricts the availability of setup.php to only administrators. Ok.. perhaps changing this to be the default is the solution...
> I guess I'm listed as 'upstream' for DAViCal as well as being the DD > responsible for the package. Unfortunately I have no time to do either > job for the foreseeable future. ... once you're back having time to play with Davical again :) Aren't you the upstream? > So if people think this sort of thing is actually 'grave' then someone > other than me needs to step forward and apply the (presumably trivial) > fixes that resolve it. I guess that would be to htmlencode the response > from that URL As I said... I don't think either that it allows much more than kinda "DoS" in the sense of sending garbage... I just marked it as grave so that people who have more knowledge about PHP/XSS/security in general... get notified and can comment. > since making it 'SSL' (as far as I can see) would add > approximately 0.00001% of additional security. As I've said :) Thanks, Chris.
smime.p7s
Description: S/MIME cryptographic signature
