Comment 3 for bug 1056997

!!! URGENT !!!

Confirmed the vulnerability again.

The blog reactions, which are enabled by default, allow anyone to execute arbitrary PHP code.
e.g. put the following in the message field for the reaction: \';phpinfo();//

Also, this bug can be exploited via CSRF, even if the blog module is not used or reactions disabled.

I haven't gotten any reaction from a team member so far, not even Sander on his private e-mail.

WOULD ANYONE FROM THE TEAM PLEASE AT LEAST LET ME KNOW THAT THIS ISSUE HAS BEEN NOTICED?

Otherwise I have to assume no one is active in this project anymore (given the activity here and on the HP, that's fair to assume) and I will disclose this issue publicly, so that people may be aware and protect themselves.