You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2020/05/01 08:49:56 UTC
Re: [Bug 64402] New: mr.vta
> Reporter: mblehkosong@gmail.com
Yet another "security researcher" that failed to notice that if you try
and upload an attachment with MIME type text/html our Bugzilla instances
will always render it as text/plain.
I'd mind less if these folks actually checked if the attack worked and
then apologied for wasting our time when they found it didn't.
I've disabled this idiot's account.
I'll delete the issue shortly.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [Bug 64402] New: mr.vta
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mark,
On 5/1/20 04:49, Mark Thomas wrote:
>> Reporter: mblehkosong@gmail.com
>
> Yet another "security researcher" that failed to notice that if you
> try and upload an attachment with MIME type text/html our Bugzilla
> instances will always render it as text/plain.
>
> I'd mind less if these folks actually checked if the attack worked
> and then apologied for wasting our time when they found it didn't.
>
> I've disabled this idiot's account.
>
> I'll delete the issue shortly.
Actually, I think you should leave the issue in BZ and we can
encourage the community to laugh at them for claiming "victory" for a
hack that didn't occur.
Kinda like laughing at the small anatomy of people who "zoom bomb"
meetings.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl6sTl8ACgkQHPApP6U8
pFg0nBAAyWvD3GNP974gy9RY4ur6cXlxN9sEibJ3kXGgKsIAeDD4uMdCJMTGUMOR
zh8lspJulxgdTRCacne/PUWqOL8LU2n0SLKw8VAMgH/nxeEFBd4g/zBJY4sj7918
RySlisHU6deMfvaRFMoaJu4/v2Xt9R4/GwDYFR2e4jUirqHNbIB7o+235XvNVLDe
nPeKYoPcjimTvhHyVDPS0fbr2UdlauFjxYbHhz5qvbCQqC2fDpiCNPzulZme9C4v
ZoBJPUiM3DFJG/10ix+cRPds/6RhLguWq+bYjUGZpnp4VnCt8cRDnVkr/MX8xM4g
sFGtFuRhR0gMDWNwy6yw2uyueOSzjgjsJCrbAV9lm27rGEAaGwtKUTkhYxdQlx3r
FE5gMPMlzhNqIiNNo75+1/MoqA0zPPmt3WZpGJRIKxuvGmO7bM/3pZ+6db0bgeUt
BcLtxAKp0q3zd+uK3mkBiRccasb3As6q4iSruTYB1uHD+yIpflXbgZqUGQfHnYRT
IZfjw6b5xtfAguu5EG1rihfTVsKkXiSNbFGkhacfBLWRsYYf3hXD3n6qrrvYRH5A
40hKN+4YLVGYtbU25ihpBMiAaewK81CzjyeOzMmKnXg5+GqC7/bA1bF6IxwJ75if
W4FEleeO+m+FfeP6qDy8k3Dj7w6dEUxq6aCoNd8XTjd3BtuW3JY=
=ocmV
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org