New Solusvm Rlease - 1.14 Stable

[RiotSecurity]

Who knew you weren't supposed to pass $_GET and $_POST to the command line on a SETUID root process?


Francisco

At least they attempted to secure it.... not.

$cleaned = $_POST['variable']; // must be clean, doh!

exec($cleaned);

 

[mitgib]

Wonder what they forgot? 

After updating, my nodes are yelling bloody murder, but what I wonder

Dear Hostigation,

The load on e3la02.hostigation.com has reached it's alert limit (20). Details of loads are listed below:

1 Minute : the
5 Minute : ionCube
15 Minute : Loader.

Date: September 2, 2013, 3:10 pm

Regards,
Hostigation

 

[MartinD]

Isn't that an issue with old ioncube loaders?

 

[mitgib]

Isn't that an issue with old ioncube loaders?

I don't know, possibly, but you'd think Solus would pull an update if their package needed an update, they do maintain the master after all, you'd never see cPanel release this without applying patches to packages that need to be updated.

 

[Cloudrck]

At least they attempted to secure it.... not.

$cleaned = $_POST['variable']; // must be clean, doh!

exec($cleaned);

That's a joke right? No way a for-profit company deals with such amaetur code.

 

[Aldryic C'boas]

That's a joke right? No way a for-profit company deals with such amaetur code.

Considering that before all this went down, they frequently used exec($_POST[]), the only joke is that they are still getting people to pay them.

 

[Cloudrck]

Considering that before all this went down, they frequently used exec($_POST[]), the only joke is that they are still getting people to pay them.

I've found most providers don't program, and don't care how the code is executed as long as it "works". Even after all the security issues, and issues likely to happen in the future, since there is no mainstream alternative companies will continue to settle for mediocrity.  I'm still amazed though.

 

[mitgib]

I've found most providers don't program, and don't care how the code is executed as long as it "works". Even after all the security issues, and issues likely to happen in the future, since there is no mainstream alternative companies will continue to settle for mediocrity.  I'm still amazed though.

It is true, most do not code, or do so poorly and chose to pay for a better product/service.  I've seen countless people proclaim to be able to write/release something better, and I am willing to pay for something better, but nobody has stood up to take the challenge, so to all those claiming to write better and willing to release, I say you are full of hot air, otherwise I would be paying you.

 

[Cloudrck]

It is true, most do not code, or do so poorly and chose to pay for a better product/service.  I've seen countless people proclaim to be able to write/release something better, and I am willing to pay for something better, but nobody has stood up to take the challenge, so to all those claiming to write better and willing to release, I say you are full of hot air, otherwise I would be paying you.

Being able to code better does not mean one has the time to release a product with support/updates. I'd rather fork/modify and existing product. (which I have done)

 

[mitgib]

Being able to code better does not mean one has the time to release a product with support/updates. I'd rather fork/modify and existing product. (which I have done)

So you are not willing to release, and that is fine.

 

[Cloudrck]

So you are not willing to release, and that is fine.

I never said that.

 

[Coastercraze]

Anyone else notice older VZ nodes are unable to connect to the master after the update?

Edit: Appears to be ionCube related... Just update your loaders and it works again.

http://docs.solusvm.com/ioncube_upgrade

 

[VPSCorey]

Again Central Backup failed to make it's appearance.

 

[Francisco]

Again Central Backup failed to make it's appearance.

They're likely going to have to rewrite it.

The way backups are handled is a complete and utter clusterfuck.

For the longest time the platform never even *made* working backups. The backups would be a few K.

Yes, the primary exploit that solus had was that they took straight $_POST right to a setuid root process with shell_exec().

The only joke is that people paid and are still paying for this platform.

Francisco

 

[SeriesN]

They're likely going to have to rewrite it.


The way backups are handled is a complete and utter clusterfuck.


For the longest time the platform never even *made* working backups. The backups would be a few K.


Yes, the primary exploit that solus had was that they took straight $_POST right to a setuid root process with shell_exec().


The only joke is that people paid and are still paying for this platform.


Francisco

Well stallion is not up for sale >_<

 

[MartinD]

Another update has been pushed out to 1.14.01

 

[kaniini]

No changelog.  I'll dig into it in a bit.

 

[OnePoundWebHosting]

http://blog.soluslabs.com/2013/09/03/solusvm-v1-14-01-released/

http://docs.solusvm.com/release_versions_stable#section11401

Brief changelog

 

[kaniini]

http://blog.soluslabs.com/2013/09/03/solusvm-v1-14-01-released/

http://docs.solusvm.com/release_versions_stable#section11401

Brief changelog

Yeah, it's there now.  It wasn't at the time I posted.

It seems that some of the type validation issues have been fixed, but I think that Phill could stand to take another look through.  A few things in that area are still sticking out.

 

[Francisco]

Yeah, it's there now.  It wasn't at the time I posted.

It seems that some of the type validation issues have been fixed, but I think that Phill could stand to take another look through.  A few things in that area are still sticking out.

Don't expect a masterpiece boss. MUCH of their codebase was outsourced in the beginning and a lot of it was never replaced. They simply bolted things on over time.

They had a Jason guy for a while that seemed to know what he was doing but I haven't seen him around in ages.

Francisco