It finally happened.  After nearly two years and 192,000 lines of code, ExpressionEngine got its first security bulletin.  Damn.

This morning I was incredibly angry, not only at myself for letting something slip through, but also because when the exploit was found it was never brought to our attention.  Instead, it was reported to a security site where not only was the information incorrect and misleading, but it was copied among other security sites without being confirmed.  We only learned about it after a new member registered and mentioned it in the bug forum.

continue...

OK, just a quick thought on the situation: Well, it had to happen. As you so aptly put it: “No matter how many eyes or how many skilled professionals examine a program, there will be something missed”. So, the question is not: “Can you make your code 100% secure?” (you can not) but rather “How do you handle such a situation?”

As we all know, security is a process. With that in mind, I am impressed by the way pMachine handled this. I mean, you had a bugfix out and ready for download the day you were notified of the bug (and you can’t be blamed that no vendor notification prior to publication took place.)

I for one am thankful for such resposniveness.

Well at least 2 years is still a record for a CMS.

We only learned about it after a new member registered and mentioned it in the bug forum.

I was not following, which thread was that?

It was closed, and now appears to have been removed altogether. I spotted it early on and asked Paul in a PM about it. Basically, it consisted of copy & pasting the exploit, but it’s significance was not immediately obvious at the time.

PS: Is Rick in a bad mood or what? Who can blame him…

Yes, the thread was closed because it simply contained a copy of a copy of the original warning, which itself was inaccurate and incorrect.  We felt it was better to actually correct the contact poster of the warning, correct the security sites, and post our own news blurb with fix instead of leaving the topic with bad information available.  Sort of the one voice approach.

Rick has been burned by these security sites before and considering the rude and negative email I got from Secunia this morning, I know there are a number of bad apples out there who really do not care about the software and protecting customers, but more about their own services.

Hakuna Matata! Don’t Worry, those sites are inseparable parts of the World Wide Web. Who cares about them?