New Solusvm Rlease - 1.14 Stable

[MartinD]

They've just pushed out the latest update to stable - 1.14

Release notes here:

http://docs.solusvm.com/release_versions_stable#section11400

Of particular interest:

 

Notes

This release also contains security enhancements as per the external audit recommendations.

 

[Jack]

It's not actually released yet via the panel I guess you could update via CLI? (Not tried)

 

[MartinD]

Yes, you can update via the CLI only for now.

 

[concerto49]

Yes, you can update via the CLI only for now.

This is the better approach anyway. Gives you a chance to take backups and roll back.

 

[Francisco]

Who knew you weren't supposed to pass $_GET and $_POST to the command line on a SETUID root process?

Francisco

 

[fisle]

Who knew you weren't supposed to pass $_GET and $_POST to the command line on a SETUID root process?


Francisco

This. It's horrifying when you realize how many people do things like these. Damn 12-year old coders.

 

[OnePoundWebHosting]

It's not actually released yet via the panel I guess you could update via CLI? (Not tried)

Update is now showing via the panel.

 

[Quexis]

Added form tokens to prevent CSRF attacks

Wow.

 

[peterw]

Wow.

Not WOW -> LOL. :mellow:

 

[drmike]

Will be interesting to see who suddenly exposes Solus to the world again and what comes of it.

Improvements made, due to audit...   

Anyone know if the audit is going to see daylight and the firm who performed the audit?

 

[Jack]

Will be interesting to see who suddenly exposes Solus to the world again and what comes of it.

Improvements made, due to audit...   

Anyone know if the audit is going to see daylight and the firm who performed the audit?

http://blog.soluslabs.com/2013/08/19/solusvm-external-security-audit-update/

 

[peterw]

http://blog.soluslabs.com/2013/08/19/solusvm-external-security-audit-update/

At least it was printed!

 

[DearLeaderJohn]

At least it was printed!

You would've thought they'd get it binded

 

[serverian]

http://blog.soluslabs.com/2013/08/19/solusvm-external-security-audit-update/

How many pages? LOL

 

[kaniini]

A quick test on my end shows that they are still using bare mysql_query()... which means that any sqli bugs are likely still wide open.

 

[DamienSB]

staticsafe new game


kaniini new game: own all the solusvm


staticsafe everytime you see mysql_query without sanitization in solusvm take another drink

This made me laugh - i had to post it.

 

[kaniini]

How many pages? LOL

Better yet -- what are the contents of that documentation?

 

[kaniini]

Took a closer look at SolusVM 1.14.  Current findings are:

Lots of potential SQLi's with $db->query() (their mysql_query(), essentially) involving lack of proper input validation.  Lots of SQL queries where it's like "SELECT * FROM database WHERE fooid > $value" -- $value needs to be first cast to int, and then validated.  Right now, SolusVM looks like this in a lot of places (code fragments are psuedocode illustrating the problem, not directly from SolusVM):


$start = $_POST['start'];
$res = $db->query("SELECT * FROM foolog WHERE id > $start");

This should be more like:


$start = (int) $_POST['start'];
if ($start > 0) {
$res = $db->query("SELECT * FROM foolog WHERE id > {$start}");
} else {
$res = null;
}

There are literally tons of these.  Man, if I were SolusVM I would be asking CNS Group for a refund.

As far as I can tell, they haven't really fixed anything and have basically bandaged up some of the more rotten areas of the code that had public exploits flying around care of that localhost.re guy.  Oh, and the CSRF thing, but that's nothing compared to these validation errors.

 

[Damian]

Waited 2 months and it's still a trainwreck... but we all knew that was going to happen, amirite?

 

[InertiaNetworks-John]

Just upgraded... let's hope this is good.