New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
I love how these threads always manage to bring out the paranoid 'security experts' who have lots to say about things that most have no clue about.
I think you're misinterpreting my post. Mod_security is not a fix nor is it a final solution. Everyone should patch their WHMCS just as we did at the earliest opportunity. Nevertheless, mod_security and our rule set had us protected before this exploit was even posted. That's why I say if you have mod_security, then this exploit wasn't much of an issue.
Anyone running Apache who hasn't installed mod_security, should do so. With zero-day exploits you may not have enough time to yank your software offline or apply a vendor security patch before you get hacked.
ShardHost and 2GBVPS has been hacked. At least they have sent me an email.
Is there a possibility that some LEB/T members have been involved in taking host details form here and hacking hosts' sites?
Really really wouldn't surprise me. But theres also a bunch of kids which like to cause mayhem here.
ClientExec or Blesta - that is the question.
...theres also a bunch of kids which like to think they cause mayhem here.
Fixed.
I love how ignorant, utterly stupid and blind you are :-)
Maybe if you had more than 3 brain cells you would have noticed that the exploit has been confirmed and that big providers could have maybe got hit if it wasn't broadcasted here.
You seem to have no clue about anything in life, according to what you post...
October 3rd 2013 Security Patch Follow Up
If you implement the further security steps whmcs suggests it would not be a problem anyways. In particular, change the admin folder name and password protect it.
http://docs.whmcs.com/Further_Security_Steps
Don't you think that's a bit harsh? I mean, you can disagree with the guy but to become so insulting is quite uncalled for IMHO.
It was in reference to how he as ignorant person thinks we have no clue about this and that we're talking shit and that there isn't a (new) exploit
There's like three lines of text he posted in this thread? How did you jump to those conclusions from that? He never said something about you. He just stated that, in general, there's usually quite some chatter in these threads that is not based on facts and is often untrue. That doesn't make him ignorant.
Any sane person with eyes in his head would see that the exploit has been PROVED/CONFIRMED. He just started not responding to me after I proved him wrong a million times, which is good :-) but that doesn't mean I shouldn't point out how his statement is bogus
Where did he say it wasn't an exploit?
I still fail to see how this is not just a unfounded rage again @sman. It's fine if you have a problem with him, but settle it elsewhere.
@Frost I completely agree with @mpkossen, @sman did not say anything to deserve such a response.
That's exactly what he does himself, but not just security related topics, look at his post history...
Good example, the post not long after mine:
@Frost I see the context now. Still a bit harsh but understandable.
So that makes you say this? Him voicing his opinion just like everybody else here? He didn't even mention names nor was that his intention.
If he's wrong just explain to him why you think he's wrong. There's no reason to start a personal attack and rage at him for those comments. If that's not an option, you'd better not respond at all.
If you took the time to do what I said: check his post history, you would see what stupid statements he made in the past and then attacking me for proving him wrong.
If you want to be a moderator then don't go point fingers at stuff you don't like without knowing what happened besides that. Can't come back from a honeymoon and go play policeman in arguments you have 0 perspective on
Or because he's smarter. I asked him kindly some time ago to avoid you same as I asked you. He got it you don't get it and still bringing things on personal level. No one demand from you to agree with his views but stop bringing things on personal level insulting him whatever he say.
I proved his bogus wrong, what if somone thought password protecting the admin folder would actually fix it? Yes, I sometimes respond too personal to him but god his attitude
Do you disagree with the whmcs recommendations? I took the time to figure this out because I actually use whmcs.
The exploit theorietically can allow hackers to get the admin password hash. In order to use it they then need to access the admin directory. If you rename the admin directory as per whmcs recommendation it creates more work for them. If you then add a .htaccess password as per whmcs enhanced security recommendation they will not gain access by using this exploit.
Simple as that. Just the facts. No hyperpole, no FUD.
If you disagree then go argue with WHMCS.
http://blog.whmcs.com/news.php?t=79527
Do you disagree with the whmcs recommendations? I took the time to figure this out because I actually use whmcs and earn a living from it.
Stating false facts, yes. Because it was done with the register.php, but could be done with any user input going into MySQL
@sman I was just saying that I understand why @Frost wrote the post the way he did. The understandable part only relates to that and has nothing to do with WHMCS. I didn't know you guys have some sort of feud going on and I don't want to be caught in the middle. Sorry for any confusion or misunderstanding on my part or yours.
Lol...it takes two for a 'feud'. I have better things to do then argue with a child or someone with the emotional intelligence of one. It is amusing to watch though.
Can't we all just...get along?
Just let it go. You are only feeding the troll on training wheels.
That exploit allows you to run any SQL code you want, it's not something just gives you the admin login credentials. Anyone could easily get all user info, vps ips and root passwords, credit card numbers if any stored. Also, an attacker could just destroy your whole database with that exploit.
Perhaps you should argue that point with WHMCS then. That is not what they are saying if you take the time to read their post...carefully.
They do mention some non-specific generic possibilities with sql injection but not that it was part of this exploit or even if it's possible. Have you seen any of these in the wild? Please provide the exactly 'code' you are referring to if you have. Not interested in generalities like 'it's a risk because...well just because theoretically it is'.
99.9999999% of the attacks will be that exact exploit. The guys who are good enough to figure out more then that if it's even possible won't be pissing around going after joe blow hosting company. They are too busy trying to hack into banks and getting hundreds of thousands of credit card numbers.
If you are paranoid about 'what if's' then you are in the wrong business anyways. There is always a risk as long as you are connected to the internet. Adobe just got hacked and had a bunch of customer details including credit card numbers and a bunch of their source code stolen. You going to stop using Adobe now? There...is...always...a...risk.