re: CVE-2018-9206 Blueimp jQuery Aribtrary File Upload

To: My detractors.

I'll address your points here:
I've seen a blog post where the author makes the following arguments:
  1. You said the vulnerability was unknown by the infosec community, but you knew about it all along.
    2. >Then why didn't you notify the author? assign a CVEID and get the vulnerability addressesed?
  2. The black hat community knew about this vulnerability for years!
    3. >Yes, I noted that in my initial write up. Re-read it.
  3. Everyone knows that .htaccess was disabled in apache 2.3.8
    4. >No, actually most of the internet didn't know. Or this vulnerability wouldn't have been so widely published and written about.
  4. You don't know much about http servers if you don't know how to enable .htaccess
    5. >I configured my first http server in 1993. I wrote the server you're receiving this from in C. I never said you couldn't enable .htaccess. I just stated it was disabled by default. Again re-read what I wrote.
  5. Everyone who runs WordPress enables .htaccess
    6. >Great, this isn't about WordPress. It's also dangerous to have a system woefully insecure out of the box and expect the administrators/users to secure it before placing it into production.
  6. There was no vulnerability in the code. It's up to the web server admin to keep the server secure.
    7. >So, developers can write insecure code and it's the responsibility of the system administrator to keep the server secure? Security is provided in layers of protection. One sole system shouldn't be the choke point for all security.