SolusVM WHMCS Module Vulnerability

[concerto49]

Reported the issue to Solus. Their "audits" aren't very encouraging though.

 

[D. Strout]

@D. Strout KVM vulnerabilities are less likely to occur, just because of the way it functions.

I hope you're right. Selling VPSes is getting to be enough of a headache without vulnerabilities in the underlying bits. I do come off a bit pessimistic there, really I'm excited to see some of the (hopefully better) software that will come out of these fiascoes.

 

[D. Strout]

Reported the issue to Solus. Their "audits" aren't very encouraging though.

...To put it mildly. Really whether real change comes at this point depends on if SVM realizes that people are willing to ditch their product due to these issues and the utter lack of transparency. (They are, aren't they?) If there's any chance that sales will continue despite this, nothing will happen.

 

[weservit]

Received from Solus:


Yes, We are working on this. Patch will be ready within couple of minutes


I would suggest to disable the API from solusvm until our senior admin confirmation about the patch.

 

[kaniini]

I hope you're right. Selling VPSes is getting to be enough of a headache without vulnerabilities in the underlying bits. I do come off a bit pessimistic there, really I'm excited to see some of the (hopefully better) software that will come out of these fiascoes.

Unfortunately not.  Capisso VMPanel, for example, is making the same exact security mistakes.  And any software that is good, like Stallion or Cloudware is not likely to be handed out like candy.

 

[rsk]

So does this mean module's garden solusvm/whmcs module is safer than the original solusvm produced whmcs addon? XD

Sheesh...

 

[kaniini]

...To put it mildly. Really whether real change comes at this point depends on if SVM realizes that people are willing to ditch their product due to these issues and the utter lack of transparency. (They are, aren't they?) If there's any chance that sales will continue despite this, nothing will happen.

No change will come because ultimately, the children running SolusVM (and let me assure you, 90% of SolusVM customers are children) will continue to run it, because the software enables them.

The serious players in this industry either gave up on Solus a long time ago (BuyVM, for example) or never ran it in the first place (Linode, Rackspace, etc).

Capisso etc. with or without the same security vulnerabilities won't ship either, because nobody will care.  SolusVM will forgive a few months of licensing fees and that will be the end of it, I assure you.

The only way change will happen is if the customers stop paying for substandard products run by the substandard companies that provide them.  If people refuse to buy VPSes managed by Solus, then you will have their attention.

 

[lulzsecurity]

pff.... so many lulz, where do I begin....

 

[D. Strout]

No change will come because ultimately, the children running SolusVM (and let me assure you, 90% of SolusVM customers are children) will continue to run it, because the software enables them.

I hope you're wrong. Take the LET > VPSB move. I never thought there would be any major move away from LET due to inertia. But there was. Hopefully someone will come through with a really good product and people will wake up, take notice, and switch.

 

[rsk]

Hopefully someone will come through with a really good product and people will wake up, take notice, and switch.

Agreed.

 

[kaniini]

I hope you're wrong. Take the LET > VPSB move. I never thought there would be any major move away from LET due to inertia. But there was. Hopefully someone will come through with a really good product and people will wake up, take notice, and switch.

The problem with your theory is that switching from LET to VPSB is easy: you just go to a new site.

Switching to a new panel is a much more complex proposition.  Beyond that, the people delivering these panels (again I use Capisso VMPanel as an example here) are likely incapable of providing a migration tool if they even ship any code to begin with.

So, for migration, you're probably on your own.  Now, if you're a typical host on here, meaning that you don't have the sufficient skills to run the business to begin with, but are able to fake it because SolusVM is good enough 75% of the time, are you really going to take the gamble with your livelyhood?

 

[mikho]

I hope you're wrong. Take the LET > VPSB move. I never thought there would be any major move away from LET due to inertia. But there was. Hopefully someone will come through with a really good product and people will wake up, take notice, and switch.

It was timing that made it possible, something that had been created before the hack of LET. Not after or because of it.
And it was something that was created by a member of LET who was well respected.


And come to think about it, it was actually a small change compared that a provider is about to change their backbone of their setup.


I guess that would be harder.

 

[kaniini]

Missed this one:

So does this mean module's garden solusvm/whmcs module is safer than the original solusvm produced whmcs addon? XD

Sheesh...

The vulnerability is in the fact that the "Solusvmpro" module does not filter form parameters and uses libcurl to POST to the SolusVM master.

Whether or not the ModulesGarden module is safer has to do with whether or not the same behaviour is used.  But, it probably safer to assume that the exact same method of POSTing to the SolusVM master is used, due to the nature of PHP coders to cut-and-paste code.

So, I'd say both modules are probably vulnerable in the same way... but I do not have access to the source of the ModulesGarden one to confirm that.

 

[weservit]

SolusVM should hire that localhost.re guy to check their codes before a release

 

[Francisco]

SolusVM should hire that localhost.re guy to check their codes before a release

Fairly sure he already said he'd turn them down, even if offered 6 figures.

Best of luck to everyone,

Francisco

 

[drmike]

chicago vps PLEASE TELL ME YOU'VE SEEN THIS.  PLEASE RESTORE MY FAITH.

 

Restore your faith ehh?  A little late for that.  

 

[Jack]

Restore your faith ehh?  A little late for that.  

Chris knows, I messaged him as I figured he'd be first to get hit by it considering all he has posted about is restricting access to WHMCS only.

 

[drmike]

Chris knows, I messaged him as I figured he'd be first to get hit by it

 

I don't know why he's such a big target.  It could be because he's the biggest.... mouth...?

Nice of you to give him a heads up though

Solus Labs give me an uneasy feeling in general.   I am not in the industry, but do unfortunately end up using their product(s).  Well, until sensible hosts took their software offline.

The destiny of HyperVM was pretty sad - despite the personal problems that Ligesh had, he had still managed to create a good product on his own. Here is a little bit about us:

Phillip Bandelow (Lead Developer / Co Founder):

Phill is pretty much the brains behind the SolusVM operation and the 'frontman' for the SolusLabs project. He is an expert when it comes to Linux OS's and has many years experience in support roles, IRC servers and network topology.

David Austen (Developer / Co Founder):

David Austen has been in IT since the mid 80's, working in secure communications for Plessey (British Army, Germany), BP, NCR and most of the banking sector. In 2001 David started 'Starteck Online' - a small hosting company that still exists to this day. In October 2008 David and Phill started ValueVPS Ltd, a VPS provider situated in the budget end of the hosting market.

Kelly Hunter:

Kelly is the backbone of the company, keeping the financials 'right' and the paperwork sorted. She also manages day to day operations in the office. Kelly has long term experience in local Government administration.

Business Info...

Currently we have no need to employ anyone else as SolusVM is a very manageable product. SolusLabs works from the office of ValueVPS based in the North East of England. There are plans to relocate to a more centralised office near our datacentre in the next few years, moving a little closer to Phill so he doesn't need to telework so often. 

Because of the history behind the way the three businesses were started, we do plan to employ people in the future but will be looking toward training people from deprived areas/backgrounds that would probably never get a chance to work in the IT sector - our way of giving something back to society. This is most likely to happen over the next 12-18 months.

We are an eco-friendly, green approved business as we operate in an envoironmentally friendly manner. We use recycled paper, work from home as much as possible and use low power hardware when we can.

If anyone has any questions, please feel free to ask. We will still be here tomorrrow, and have no plans of falling off the face of the earth.

 

[concerto49]

Fairly sure he already said he'd turn them down, even if offered 6 figures.


Best of luck to everyone,


Francisco

Solus can afford a 6 figure salary?

 

[Jack]

Solus can afford a 6 figure salary?

Probably.