New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Using ModulesFactory's Proxmox module? There's a nasty exploit!
Hello everyone,
While doing an installation for a client today I of ModulesFactory's Proxmox WHMCS Module that's quite nasty.
I already contacted the developer about this but haven't heard back anything. I also don't know if they will bother emailing everyone to update. Either way, it's simply easier to help people patch up and keep safe.
I've written a workaround patch but won't be releasing it to the public. Instead, if you're a provider and can prove you're using this, please email me at [email protected] or contact me on here and I'll provide you the patch. You can also skype me at 'deltaanime'.
Thanks to @mitgib for helping me confirm & test.
Francisco
Comments
Uh oh.
I believe that a number of provides are using this module. This could get very ugly, very quickly.
s'why i'd like people to contact me and get patched
Francisco
Good luck getting a response on that, I looked at this module 18 months ago and reported numerous issues including potential vulnerabilities.
No response.
Well, I confirmed, and patched, one of the big ones I found. It's a hackjob of a patch but it works well enough.
Francisco
What kind of exploit? Full WHMCS / Proxmox access?
@francisco
why not just drop in a download link to the patch for everyone? you are kind enough to notify us all about an serious ongoing issue but the solution to it that you have created will not be published public? is there any reason behind that?
All they have to do is kiss Fran's ring and they will be made
Because then where the issue is, is now in the wild and unsuspecting hosts could get popped.
Francisco
It's a nasty exploit, i'll leave it at that.
Francisco
I'm giving proxmox this afternoon a try. Looks easy enough to install over debian 8.
praisepony
Francisco
Just don't use it at all, its safer all round
Well, for once one of my threads isn't to criticize other hosts, it's just to lend a helping hand.
Francisco
Decency towards other hosts was never MarkTurner's strong side...
To be fair it isn't mine half the time either.
Francisco
BuyExploit, a new FranTech offering.
Have you seen a picture of Fran? He is a good looking man(nohomo), but reminds me of a gangster from pre-WWII movies, but maybe it is just me.
ponysploits.com - A Frantech Brand
Post/reply race condition :-) Updated my post with a pic of Don Francisco.
You forgot coming soon™
I feel he's way more elegant in his topless towel photo.
Dear Francisco,
Thank you, we received your report and have released a patch version 1.3.4.9.1 to address the vulnerability. Patch available for customers to download in their clientarea.
Thanks
Mohamed.
Modules Factory.
Its not a hosting issue, its just that this vendor's modules always appear to be very rushed/sloppy, lack quality control and they don't respond bug reports even when the functionality of the module is non-existent.
Maybe you mean 'respect' not 'decency'. Respect has to be earned on all sides, it starts by doing the best you can do everyday and when things go wrong, learn from it and do your utmost to ensure it doesn't happen again. The people I complain about just keep doing the same thing day after day. The cerebrum isn't in gear.
No, I was indeed taking about decency. ;-)
But I must admit that my definition of "business decency" is based on a completely different industry. The hosting industry follows other rules than the one I am in. But we do not have to deepen this. In fact, I just wanted to aggravate you a bit. For the fun. You know, like in a pub when someone is making a half-serious joke just for the lolz. ;-)
Have a beer. It's on me.
Decency - 'behavior that conforms to accepted standards of morality or respectability.'
Border line But for the industry, probably better than most.
This industry like the telecoms sector is a cess pit. The concept of being a gentlemen is completely devoid.
Thanks
I have tested the patch, and it does work as advertised.
We using this module lately for KVM and it seems fixed now.
Thanks
Not sure if they just ignored you or they don't want to show they had a vulnerability
ModulesFactory said: released a patch version 1.3.4.9.1 to address the vulnerability.
They acknowledged it.
You are confusing ModulesGarden with ModulesFactory.