New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
believe or not, a lot of ppl don't care about security until the moment data got compromised. lots of programmers think that encrypted code = security so they choose not to do anything to their code and just rely on ioncube as they think that if no one sees the code, it won't get compromised. Well, if you have an encoded ioncube go check the website: decry.pt you will be surprised how easy it is to decode the code. Not to mention there are other ways to reverse engineer the code.
I used to work for a company that sells a lot of "web products". One day I was assigned to a project, as the project became urgent all of a sudden. I found out a serious bug that any user can login to the admin (within a min), to have the admin control.
I immediately reported to the project leader as I think it was a serious issue, she was like, "mmm.. okay okay" without taking any action. I was kinda pissed as she didn't seem to care about this, she didn't want to fix this. I somehow understand her, as our boss was pushing the project/her way too hard, our boss wanted to have as many features as possible.
The truth is, lots of ppl (not just programmers) don't care about security. All they care is how nice, how fancy the GUI is, how many features the product has.
I would say they did however obviously not targeted enough to find this, you need to remember that centralbackup.php has been in for YEARS, we can only hope they learn from this and security improves as a result.
It really sucks that peoples livelihoods have to be threatened and everyone takes it as a bashing opportunity, no one is forcing anyone to use solusvm.
@Infinity, you should report this to Solus. If what you say is true - what he is doing is definitely illegal based on the fact he is trying to push out a competing product. Solus would need to take legal action against this person.
No offence intended here, but the last time this happened to CVPS the response was the same, new exploit, solusvm assisting etc, and the same as last time no one from solusvm can confirm that is the case.
Just saying... boy who cried wolf etc, some people are full of hate and would rather see businesses close and people go without sleep than just report a vulnerability, personally I think publishing exploit code without first notifying a vendor should carry a 2 year jail term minimum, and on the reverse side I think any vendors should be made responsible for notifying anyone paying for software within 48 hours of the exact details.
That is in general.
/rant.
Can someone refresh my mind who curtisg was? Was it that guy who was here with at least 3 different accounts, created 3 different providers and claimed mental illness in the end?
Sounds right
You're assuming that he actually has a competing control panel product. It was only a few days ago when he was claiming to have a DDoS service (HostKVM), and it wasn't too long ago that he was offering $5.95 dedicated servers which were really shell accounts....and the list goes on and on.. The list of non-existent products he's tried to peddle here is almost as long as the list of usernames he's used.
I have a fair idea who it is but as I said I can't be 100% sure, so based on that it would be hard to get legal action if I can't be 100% sure. I can let Solus know however. ;-)
Apparently a little birdie is telling me that after a 6 hours another zero-day vuln will appear. While I can't confirm the authenticity of this, I do suggest that most hosts keep their Solus offline until proper patches appear.
He's claiming it's free and open source so I guess that's a start.
I don't mean to sound unprofessional... But someone needs a kick in the ******ing face!
@Infinity - definitely report to Solus to take it further. If it is indeed someone that wants to release a competing product and using illegal means to gain market share, law enforcers need to be involved.
I have reported some of the vulns I have been made aware of to SolusVM, fairly sure they won't actually do anything but let us see. :-)
Of course, but there's a difference between civilized people and HackForum skidies
Play keep us updated @soluslabs, @CVPS_Chris.
There wasn't much to ask for help on in my case.
They are "looking into it now."
I agree with @AnthonySmith
Last time ChicagoVPS got hacked, they said they was commuicating with SolusVM and that they would tell solusvm the exloit when the hack was resolved. No one from SolusLabs could confirm nor did they ever forward said exploit.
So far I only read denials same as last time with CVPS. And we all know what gaping hole came "clean" at the audit they did then.
At least they didnt deny it a couple of days ago, probably because it would have been way too ridiculous.
Well said.
Anyhow development is iterative process, now we'll end up having even nicer things, and then again, and again...
I submited a ticket to solus, its under managent review, I'll update here as well when I get a reply from managent.
With a bit luck you can expect a patch by December.
@soluslabs - Seriously, where's that v2, you can't properly program nor schedule a project, what CAN you actually do?!
a £10 OVH server looks remarkably safe and secure right now...
Until you remember that OVH's control panel got hacked just a few months ago and Hetzher's robot got hacked just a few weeks ago
better buy a cheapass ebay server and colo it in a local DC so nobody can social engineer anything :P
http://blog.soluslabs.com/2013/06/18/statement-regarding-current-security-rumours/
Ahahahahaha, I gave them at least 3 clear examples of bad code in my ticket. Unable to locate any problems lol.
I am very disappointed in SolusVM's response to this.
Every provider thinks solus it the only option because its widely used. If Virtualizor or the vePortal that burst.net were more widely used, it would be the exact same drama. Its just like when people complain about windows being not secure. SolusVM is widely used therefore things like this get more attention than when Virtualizor or vePanal have security flaws.
but windows actually is insecure
Exploitable code?
Point is, this drama is the same when micro$oft messes up, people complaining about how terrable windows is. Only difference, it is SolusVM this time.