Shaun Walker wrote
8. Wednesday night - we have verified that there is indeed an issue. However, our first revelation was that it does not allow an anonymous user to execute arbitrary SQL scripts or make arbitrary changes to the web.config, as was claimed in the PowerDNN security advisory. This lowers the risk assessment considerably. We have already come up with a code change which should solve the issue permanently and will include it in a 4.8.3 core release. Please be patient as we work through our standard security process for the benefit of the community.
In summary, it appears that a combination of inexperience, greed, and impatience resulted in the perfect recipe for disaster today. I hope tomorrow will be a better day.
I'd like to see a little bit more confidence in the resolution than just "should fix the problem". Out of everything posted to date on the subject, that one line is the single most disturbing to me.
I recently had work done to the brakes on my truck, I think I would have a problem if the mechanic told me that there was a flaw in the brake system by the original manufacturer and then said that this "should fix the problem". Yeah, thats a lot of confidence, thanks buddy.
On a side note, I can never say enough good things about PowerDNN. While I can certainly agree that things may and should have been handled differently in this case, I find it highly offensive that anyone could sit here and label them as being opportunistic or greedy.
The finger pointing and insinuations though show a complete lack of professionalism in an otherwise stellar community.
Edward DeGagne | Applications Engineering Manager
ektron, inc.
542 Amherst Street, Route 101A | Nashua, NH 03063