amuck-landowner

New Solusvm Rlease - 1.14 Stable

Jack

Active Member
It's not actually released yet via the panel I guess you could update via CLI? (Not tried)
 
Last edited by a moderator:

fisle

Active Member
Who knew you weren't supposed to pass $_GET and $_POST to the command line on a SETUID root process?


Francisco

This. It's horrifying when you realize how many people do things like these. Damn 12-year old coders.
 

drmike

100% Tier-1 Gogent
Will be interesting to see who suddenly exposes Solus to the world again and what comes of it.

Improvements made, due to audit...   

Anyone know if the audit is going to see daylight and the firm who performed the audit?
 

Jack

Active Member
Will be interesting to see who suddenly exposes Solus to the world again and what comes of it.

Improvements made, due to audit...   

Anyone know if the audit is going to see daylight and the firm who performed the audit?
http://blog.soluslabs.com/2013/08/19/solusvm-external-security-audit-update/

report-225x300.jpg
 
Last edited by a moderator:

kaniini

Beware the bunny-rabbit!
Verified Provider
A quick test on my end shows that they are still using bare mysql_query()... which means that any sqli bugs are likely still wide open.
 

DamienSB

Active Member
Verified Provider
staticsafe new game


kaniini new game: own all the solusvm


staticsafe everytime you see mysql_query without sanitization in solusvm take another drink
This made me laugh - i had to post it.
 

kaniini

Beware the bunny-rabbit!
Verified Provider
Took a closer look at SolusVM 1.14.  Current findings are:

Lots of potential SQLi's with $db->query() (their mysql_query(), essentially) involving lack of proper input validation.  Lots of SQL queries where it's like "SELECT * FROM database WHERE fooid > $value" -- $value needs to be first cast to int, and then validated.  Right now, SolusVM looks like this in a lot of places (code fragments are psuedocode illustrating the problem, not directly from SolusVM):


$start = $_POST['start'];
$res = $db->query("SELECT * FROM foolog WHERE id > $start");

This should be more like:


$start = (int) $_POST['start'];
if ($start > 0) {
$res = $db->query("SELECT * FROM foolog WHERE id > {$start}");
} else {
$res = null;
}

There are literally tons of these.  Man, if I were SolusVM I would be asking CNS Group for a refund.

As far as I can tell, they haven't really fixed anything and have basically bandaged up some of the more rotten areas of the code that had public exploits flying around care of that localhost.re guy.  Oh, and the CSRF thing, but that's nothing compared to these validation errors.
 
Last edited by a moderator:

Damian

New Member
Verified Provider
Waited 2 months and it's still a trainwreck... but we all knew that was going to happen, amirite?

drysoup.jpg
 
Last edited by a moderator:
Top
amuck-landowner