SolusVM Security Update (1.13.03)

soluslabs

FYI:

Released: 28 November 2012

This release fixes an XSS Vulnerability within the SolusVM user interface.

DESCRIPTION : XSS Vulnerability VULNERABLE SYSTEMS : SolusVM master v1.13.02 and below RESOLUTION : Update to SolusVM v1.13.03 SEVERITY : Low CHECKED BY : Phillip Bandelow SIGNED OFF BY : Jason Smith

http://docs.solusvm.com/release_versions_stable?&#section11303

BronzeByte

@soluslabs

Thanks for keeping us up to date on here

onepound

Thanks for the heads up, appreciated.

concerto49

Going to install this in UAT and see if there are any issues before rolling it out. Thanks @ soluslabs.

kbeezie

Know what would be nice? When you log into the solus admin panel, and it mentions the update on the dashboard... if there was some kind of link right there to pop up a changelog. Would not have even thought it was a security update unless I checked the website.

:D updated

EDIT: LOL! right after I posted this, I received the email from SolusLabs regarding the exploit.

NickM

@soluslabs Is this a fix for the problem that caused ChicagoVPS to lose 1000 containers? Or have they still not actually reported that to you?

Zen

@NickM said: Is this a fix for the problem that caused ChicagoVPS to lose 1000 containers? Or have they still not actually reported that to you?

We can assume there was no issue.

Jack

@soluslabs any more info?

soluslabs

@NickM said: @soluslabs Is this a fix for the problem that caused ChicagoVPS to lose 1000 containers? Or have they still not actually reported that to you?

No & No

@Jack said: @soluslabs any more info?

As in what?

Jack

@soluslabs what the actual exploit was?

gsrdgrdghd

@Jack said: @soluslabs what the actual exploit was?

For all we know there is no exploit.

soluslabs

@gsrdgrdghd said: @Jack said: @soluslabs what the actual exploit was?

I presume you mean the XSS? There is no more information.

gsrdgrdghd

@soluslabs said: I presume you mean the XSS? There is no more information.

I assumed @Jack was refering to ChicagoVPS, not the XSS

BronzeByte

@Jack @soluslabs

No, Chris set the API to allow ANY remote IP and someone brute forced the API key that was intended for WHMCS and destroyed those servers

concerto49

@BronzeByte said: No, Chris set the API to allow ANY remote IP and someone brute forced the API key that was intended for WHMCS and destroyed those servers

@CVPS_Chris

BronzeByte

@concerto49

Why did you tag him?

concerto49

@BronzeByte said: Why did you tag him?

Because this whole thread kept mentioning him. He'll read it anyway.

DewlanceVPS

@BronzeByte said: No, Chris set the API to allow ANY remote IP and someone brute forced the API key that was intended for WHMCS and destroyed those servers

But solusvm only connect to allowed IPs? (/etc/xyz///....solusvm/..../allow.dat file)

soluslabs

This thread has nothing to do with ChicagoVPS and is not related in any way.

BronzeByte

@soluslabs said: This thread has nothing to do with ChicagoVPS and is not related in any way.

I know, but others don't, people just don't seem to understand that ChicagoVPS was COMPROMISED and NOT exploited...

BronzeByte

@DewlanceVPS said: But solusvm only connect to allowed IPs? (/etc/xyz///....solusvm/..../allow.dat file)

We're talking about the remote API generally used to provision servers from WHMCS ;-)

qhoster

Great keep up the good work Solus.