New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
I'm trying to find decent words to describe the amount of fail, stupidity and arrogance of SolusLabs but I can't.
Well, something like Evo said: This time the hole was not as big as the moon, it is easy to miss.
In times like this I am happy I am not a programmer.
I used to write such bad code, in such a laziness to comment it that if I didnt finish the program in one day, was impossible to remember next day what i did there, what were the variables I used, things like those.
I will abstain from crticizing too much, however, it is obvious that an average coder would have done better in the first case, while the last one is too complex to assess, but I presume many people would have done this mistake.
You think SolusLabs is bad? How about WHMCS...
At least they change the version number when they release a patch... so you know exactly which version you have.
Patch is out: http://docs.solusvm.com/v2/Default.htm#Modules/Billing/WHMCS/Installation.htm
Exactly!
So who has been brave enough to re-enable API access with the new Solus version?
Or.. who would like to be the first target in new vulnerability testing?
Every day we run Solus we feel more and more uneasy. It will be hard to replace this trust. The WHMCS module attack was an interesting vector that could possibly be forgiven, the original centralbackup.php far less so.
We. But we use a different SolusVM module for WHMCS.
Agreed. It's impossible to shake off the paranoia now.
New security fixes: http://blog.soluslabs.com/2013/06/24/security-updates-available-for-all-solusvm-versions-2/
Confidence level very, very low.
@jbiloh I am just happy it is getting fixed. Either way
No doubt, progress is good.
@jbiloh the fact that they started to audit their code only after something this bad has happened is extremely disappointing.
I realize there are a bunch of people "working" on new panels to take the place of SolusVM, but they never seem to be finished... How much do you think it'd cost to hire people to create a fully functional alternative? (If I decided to tackle this myself, I have no doubt I'd lose interest and never finish).
Even if they fix everything in SolusVM now, how long will it be before sloppy updates result in a new vulnerability? The fact that they've found so much to patch already would seem to imply they often release code that they haven't reviewed.
What makes you think these other panels popping up will be better? Especially after not standing the test of time. Security is not easy. Otherwise you would not be hearning about banks and credit card companies and all sorts of other big companies getting hacked all the time. Even internet companies like twitter get hacked sometimes.
I used to write shit code. Then I took a hack to my server.
SolusVM owner is ex-employe of WHMCS?
The module when accessed via WHMCS works through the ip of 127.0.0.1, the rootpassword.php was renamed to make sure there were no issues. So the .htaccess written to only allow the public and 127.0.0.1 ip's access to those specific files. Also I'm working on installing an application firewall so you cant pass phrases like sudo, rm -rf, etc via url's which ends that specific vector period. Researching it against a test server.
I've never believed in the idea that in order to secure things you need to block stuff rather than risk it even if you are not sure what you are blocking against. The root cause needs to be corrected. You should be working from the inner layer of the onion first, not the outer layer. Proper security is about risk management. Not risk elimination. Security vs usability. Not security by obscurity and blocking from non-specific threats that only make the system harder to use/administer
A lot of people will disagree but I would go as far as saying that a properly secured system should never need a firewall/iptables. It should never need ports blocked. Those ports should not be vulnerable in the first place. For example, you should never need to block port 3306 if you are not using MySQL externally. A better solution is to not have MySQL listening to anything besides localhost in the first place "bind-address=127.0.0.1". Problem solved, more elegant and simpler than blocking port 3306. All because you are solving it at a lower layer of the onion.
Of course that's just my opinion...I could be wrong.
From Ticket
Any update on the external audit?
New update;
http://blog.soluslabs.com/2013/06/26/solusvm-1-13-081-14-00-r8-minor-update-released/
I think they might be starting it soon
Security is best done is layers, what seems "useless" is not necessarily so. The world is rife with human error, relying on a single security mechanism from a perfect world is just asking for trouble.
I would appreciate their work more if they actually supplied a changelog with their updates.
Really damn descriptive right there.
More specifics would be helpful. Has anyone looked more closely at what was changed? Simply curious.
With completion of the audit slated for Monday, these updates with non-information two days later do not really do anything to boost confidence when a large number of providers have their SolusVM offline.