Please be more careful
Closed this issue · 5 comments
Hello
We have taken the time to investigate your report and found it NOT to be a valid vulnerability as it cannot be reproduced.
To repeat: This is not a vulnerability and appears to be an automatically generated / low-effort report.
Additionally:
- This was not responsibly disclosed to the October CMS team.
- The
db_host
field is not replayed to the browser in the installer package in any of the code. - The correct security process was not followed: https://github.com/octobercms/october/security/policy
- The wrong package name submitted in the report
- An incorrect version number was used in the report
Your actions have triggered several false flags on CI/CD pipelines for our customers, preventing them from updating their software securely.
Please be more careful!
Hello!
-
Sorry if I haven't reported as I should, this is the first time I've reviewed CVEs and you can check it in my profile, which are all from September.
-
The generated report is short because the only problem is that the dbhost field does not properly sanitize the data entry and produces a reflected XSS, there are the traps. If you don't consider it a vulnerability, tell me why there are CVEs for other software with that XSS vulnerability in the installation.
-
Given a security problem, I understood that I had to report it to MITRE, sorry for not knowing about github.
-
The software version is that, at least the ID that appears when I downloaded it. You published v3.5 only 4 days ago.
-
My tests have been carried out on localhost, it can be seen perfectly in the images. You can't tell me that I have activated alerts and bothered customers when I have done it locally.
Furthermore, this vulnerability occurs during the installation process. It seems wrong to me that you accuse me of a bad and simple report when you have not been able to see that my tests are on localhost and you are accusing me of generating alerts to clients.
I understand that you are learning, but your tool may need fixing. The reference screenshot does not show our software's interface. It is just a blank screen. It is not clear that you have tested anything. If you had contacted us first, we could easily lead you to this mistake.
-
You cannot see the screen of your software because it is not installed, the vulnerability is in the installation process.
-
It is not a blank screen, it is the Burpsuite tool that acts as a proxy to analyze the backend of the requests.
-
Before sending me the accusation from before you should review how cybersecurity works because all web software is analyzed with burpsuite, it is not a "blank screen"
Before submitting any report, you must verify it as a human and understand what you are doing. The field you have tested does not relay back to the browser, so the assertion is impossible.
This report was clearly generated from another CMS:
I'm sorry, it is not my job to teach you this. Please stop.
Of course, because if the error is the same as another CMS, I use it as a template, I am not going to fill out a report from scratch. And yes, when you install the Octobercms software they ask you to fill in the database connection information and user access information during the installation process.
I don't make up the information that the Burpsuite tool captures. It can be seen perfectly in the images of my PoC ("Proof of concept") which is its software in the installation process ("Local").
Perfect, I now know that I don't have to invest my time in helping your CMS security.