# New Solusvm Rlease - 1.14 Stable



## MartinD (Sep 2, 2013)

They've just pushed out the latest update to stable - 1.14

Release notes here:

http://docs.solusvm.com/release_versions_stable#section11400

Of particular interest:

 


> Notes
> 
> This release also contains security enhancements as per the external audit recommendations.


----------



## Jack (Sep 2, 2013)

It's not actually released yet via the panel I guess you could update via CLI? (Not tried)


----------



## MartinD (Sep 2, 2013)

Yes, you can update via the CLI only for now.


----------



## concerto49 (Sep 2, 2013)

MartinD said:


> Yes, you can update via the CLI only for now.


This is the better approach anyway. Gives you a chance to take backups and roll back.


----------



## Francisco (Sep 2, 2013)

Who knew you weren't supposed to pass $_GET and $_POST to the command line on a SETUID root process?

Francisco


----------



## fisle (Sep 2, 2013)

Francisco said:


> Who knew you weren't supposed to pass $_GET and $_POST to the command line on a SETUID root process?
> 
> 
> Francisco



This. It's horrifying when you realize how many people do things like these. Damn 12-year old coders.


----------



## OnePoundWebHosting (Sep 2, 2013)

Jack said:


> It's not actually released yet via the panel I guess you could update via CLI? (Not tried)


Update is now showing via the panel.


----------



## Quexis (Sep 2, 2013)

> Added form tokens to prevent CSRF attacks


Wow.


----------



## peterw (Sep 2, 2013)

Speck said:


> Wow.


Not WOW -> LOL. :mellow:


----------



## drmike (Sep 2, 2013)

Will be interesting to see who suddenly exposes Solus to the world again and what comes of it.

Improvements made, due to audit...   

Anyone know if the audit is going to see daylight and the firm who performed the audit?


----------



## Jack (Sep 2, 2013)

buffalooed said:


> Will be interesting to see who suddenly exposes Solus to the world again and what comes of it.
> 
> Improvements made, due to audit...
> 
> Anyone know if the audit is going to see daylight and the firm who performed the audit?


http://blog.soluslabs.com/2013/08/19/solusvm-external-security-audit-update/


----------



## peterw (Sep 2, 2013)

Jack said:


> http://blog.soluslabs.com/2013/08/19/solusvm-external-security-audit-update/


At least it was printed!


----------



## DearLeaderJohn (Sep 2, 2013)

peterw said:


> At least it was printed!


You would've thought they'd get it binded


----------



## serverian (Sep 2, 2013)

Jack said:


> http://blog.soluslabs.com/2013/08/19/solusvm-external-security-audit-update/


How many pages? LOL


----------



## kaniini (Sep 2, 2013)

A quick test on my end shows that they are still using bare mysql_query()... which means that any sqli bugs are likely still wide open.


----------



## DamienSB (Sep 2, 2013)

> staticsafe new game
> 
> 
> kaniini new game: own all the solusvm
> ...


This made me laugh - i had to post it.


----------



## kaniini (Sep 2, 2013)

serverian said:


> How many pages? LOL


Better yet -- what are the contents of that documentation?


----------



## kaniini (Sep 2, 2013)

Took a closer look at SolusVM 1.14.  Current findings are:

Lots of potential SQLi's with $db->query() (their mysql_query(), essentially) involving lack of proper input _validation_.  Lots of SQL queries where it's like "SELECT * FROM database WHERE fooid > $value" -- $value needs to be first cast to int, and then validated.  Right now, SolusVM looks like this in a lot of places (code fragments are psuedocode illustrating the problem, not directly from SolusVM):


$start = $_POST['start'];
$res = $db->query("SELECT * FROM foolog WHERE id > $start");

This should be more like:


$start = (int) $_POST['start'];
if ($start > 0) {
$res = $db->query("SELECT * FROM foolog WHERE id > {$start}");
} else {
$res = null;
}

There are literally _tons_ of these.  Man, if I were SolusVM I would be asking CNS Group for a refund.

As far as I can tell, they haven't really fixed anything and have basically bandaged up some of the more rotten areas of the code that had public exploits flying around care of that localhost.re guy.  Oh, and the CSRF thing, but that's nothing compared to these validation errors.


----------



## Damian (Sep 2, 2013)

Waited 2 months and it's still a trainwreck... but we all knew that was going to happen, amirite?


----------



## InertiaNetworks-John (Sep 2, 2013)

Just upgraded... let's hope this is good.


----------



## RiotSecurity (Sep 2, 2013)

Francisco said:


> Who knew you weren't supposed to pass $_GET and $_POST to the command line on a SETUID root process?
> 
> 
> Francisco


At least they attempted to secure it.... not.

$cleaned = $_POST['variable']; // must be clean, doh!

exec($cleaned);


----------



## mitgib (Sep 2, 2013)

Wonder what they forgot? 

After updating, my nodes are yelling bloody murder, but what I wonder



> Dear Hostigation,
> 
> The load on e3la02.hostigation.com has reached it's alert limit (20). Details of loads are listed below:
> 
> ...


----------



## MartinD (Sep 2, 2013)

Isn't that an issue with old ioncube loaders?


----------



## mitgib (Sep 2, 2013)

MartinD said:


> Isn't that an issue with old ioncube loaders?


I don't know, possibly, but you'd think Solus would pull an update if their package needed an update, they do maintain the master after all, you'd never see cPanel release this without applying patches to packages that need to be updated.


----------



## Cloudrck (Sep 2, 2013)

RiotSecurity said:


> At least they attempted to secure it.... not.
> 
> $cleaned = $_POST['variable']; // must be clean, doh!
> 
> exec($cleaned);


That's a joke right? No way a for-profit company deals with such amaetur code.


----------



## Aldryic C'boas (Sep 2, 2013)

Cloudrck said:


> That's a joke right? No way a for-profit company deals with such amaetur code.


Considering that before all this went down, they frequently used *exec($_POST[])*, the only joke is that they are still getting people to pay them.


----------



## Cloudrck (Sep 2, 2013)

Aldryic C said:


> Considering that before all this went down, they frequently used *exec($_POST[])*, the only joke is that they are still getting people to pay them.


I've found most providers don't program, and don't care how the code is executed as long as it "works". Even after all the security issues, and issues likely to happen in the future, since there is no mainstream alternative companies will continue to settle for mediocrity.  I'm still amazed though.


----------



## mitgib (Sep 2, 2013)

Cloudrck said:


> I've found most providers don't program, and don't care how the code is executed as long as it "works". Even after all the security issues, and issues likely to happen in the future, since there is no mainstream alternative companies will continue to settle for mediocrity.  I'm still amazed though.


It is true, most do not code, or do so poorly and chose to pay for a better product/service.  I've seen countless people proclaim to be able to write/release something better, and I am willing to pay for something better, but nobody has stood up to take the challenge, so to all those claiming to write better and willing to release, I say you are full of hot air, otherwise I would be paying you.


----------



## Cloudrck (Sep 2, 2013)

mitgib said:


> It is true, most do not code, or do so poorly and chose to pay for a better product/service.  I've seen countless people proclaim to be able to write/release something better, and I am willing to pay for something better, but nobody has stood up to take the challenge, so to all those claiming to write better and willing to release, I say you are full of hot air, otherwise I would be paying you.


Being able to code better does not mean one has the time to release a product with support/updates. I'd rather fork/modify and existing product. (which I have done)


----------



## mitgib (Sep 2, 2013)

Cloudrck said:


> Being able to code better does not mean one has the time to release a product with support/updates. I'd rather fork/modify and existing product. (which I have done)


So you are not willing to release, and that is fine.


----------



## Cloudrck (Sep 2, 2013)

mitgib said:


> So you are not willing to release, and that is fine.


I never said that.


----------



## Coastercraze (Sep 2, 2013)

Anyone else notice older VZ nodes are unable to connect to the master after the update?

Edit: Appears to be ionCube related... Just update your loaders and it works again.

http://docs.solusvm.com/ioncube_upgrade


----------



## VPSCorey (Sep 2, 2013)

Again Central Backup failed to make it's appearance.


----------



## Francisco (Sep 2, 2013)

FRCorey said:


> Again Central Backup failed to make it's appearance.


They're likely going to have to rewrite it.

The way backups are handled is a complete and utter clusterfuck.

For the longest time the platform never even *made* working backups. The backups would be a few K.

Yes, the primary exploit that solus had was that they took straight $_POST right to a setuid root process with shell_exec().

The only joke is that people paid and are still paying for this platform.

Francisco


----------



## SeriesN (Sep 2, 2013)

Francisco said:


> They're likely going to have to rewrite it.
> 
> 
> The way backups are handled is a complete and utter clusterfuck.
> ...


Well stallion is not up for sale >_<


----------



## MartinD (Sep 3, 2013)

Another update has been pushed out to 1.14.01


----------



## kaniini (Sep 3, 2013)

No changelog.  I'll dig into it in a bit.


----------



## OnePoundWebHosting (Sep 3, 2013)

http://blog.soluslabs.com/2013/09/03/solusvm-v1-14-01-released/

http://docs.solusvm.com/release_versions_stable#section11401

Brief changelog


----------



## kaniini (Sep 3, 2013)

OnePoundWebHosting said:


> http://blog.soluslabs.com/2013/09/03/solusvm-v1-14-01-released/
> 
> http://docs.solusvm.com/release_versions_stable#section11401
> 
> Brief changelog


Yeah, it's there now.  It wasn't at the time I posted.

It seems that some of the type validation issues have been fixed, but I think that Phill could stand to take another look through.  A few things in that area are still sticking out.


----------



## Francisco (Sep 3, 2013)

kaniini said:


> Yeah, it's there now.  It wasn't at the time I posted.
> 
> It seems that some of the type validation issues have been fixed, but I think that Phill could stand to take another look through.  A few things in that area are still sticking out.


Don't expect a masterpiece boss. MUCH of their codebase was outsourced in the beginning and a lot of it was never replaced. They simply bolted things on over time.

They had a Jason guy for a while that seemed to know what he was doing but I haven't seen him around in ages.

Francisco


----------



## weservit (Sep 3, 2013)

Francisco said:


> Don't expect a masterpiece boss. MUCH of their codebase was outsourced in the beginning and a lot of it was never replaced. They simply bolted things on over time.
> 
> 
> They had a Jason guy for a while that seemed to know what he was doing but I haven't seen him around in ages.
> ...


Kind Regards,

Jason Smith - SolusLabs Management Team

 

--

 

Looks like he is still around!


----------



## Francisco (Sep 3, 2013)

weservit said:


> Kind Regards,
> 
> Jason Smith - SolusLabs Management Team
> 
> ...


Well that's good!

Still, anyone that has gone through the admin pages can tell there has been many

different hands through there.

Francisco


----------



## Nick_A (Sep 3, 2013)

They broke the Forgot Password process ;_;


----------



## Nick_A (Sep 3, 2013)

Ok Phill fixed it quickly.


----------



## H_Heisenberg (Sep 3, 2013)

Can someone post me a few pictures of the "new again" look?


----------



## MartinD (Sep 3, 2013)

H_Heisenberg said:


> Can someone post me a few pictures of the "new again" look?


Download a trial and install it.


----------

