SolusVM failure - CSRF exploit

netnub · Apr 19, 2013

I had time to decode SolusVM fully, I'll say one thing: Security.

It has many security issues once you peer inside the code, I've spotted a CSRF exploit already.

I won't post where the exploit is, but if anyone wants to see the code, let me know. I did also decode WHMCS 5.2.3 and it looks like WHMCS + SolusVM were both coded by the same person (the style + the shittiness of it).

SeriesN · Apr 20, 2013

Can you please elaborate what you found?

jarland · Apr 20, 2013

I would say shame on you for decoding it, but if you can then who can't, and if you found a security exploit well... I'd say your effort wasn't for nothing. Report this to SolusVM ASAP, if you haven't already.

netnub · Apr 22, 2013

jarland said:
I would say shame on you for decoding it, but if you can then who can't, and if you found a security exploit well... I'd say your effort wasn't for nothing. Report this to SolusVM ASAP, if you haven't already.

Yeah, I plan on reporting it once I get time, as it effects the latest version of SolusVM.

However, I don't see issues with decoding it. just like I decoded hostbill, whmcs, gamecpx, and many more software, I did this just for research reasons(finding bugs, reporting them). (P.S. SolusVM code is shitty, they finally are using PDO, unlike older versions).

Awmusic12635 · May 3, 2013

Did you ever get around to reporting this?

notFound · May 9, 2013

Is this you CurtisG?

shovenose · May 13, 2013

I don't think there is anything wrong with decoding software if you check it for vulnerabilities, report them, and delete it.

Aldryic C'boas · May 15, 2013

I don't see any problem with robbing a store if you check the currency for counterfeiting, report it, and return the cash.

bfj · May 15, 2013

Aldryic C'boas · May 15, 2013

Aye, some of the justifications for decoding are just... yeah.

Coastercraze · May 16, 2013

blergh · May 16, 2013

Aldryic C'boas · May 16, 2013

blergh said:
Apart from the fact that you are not physically stealing anything, or hurting anyone in any way. I would say that it is more of a "myster-shopper" thing than stealing. Stealing is obsurd.

I'll attempt to be less subtle with my sarcasm. The point is, having a contrived 'justification' doesn't actually negate the action taking place.

bfj · May 16, 2013

Removed Dupe due to weird ..................................

bfj · May 16, 2013

blergh said:
I would say that it is more of a "myster-shopper" thing than stealing. Stealing is obsurd.

Wasn't that whole mystery shopper deal a big scam, which would con people into paying them to get "in" and have them buy items and never get reimbursed for them?

Francisco · May 16, 2013

bfj said:
Wasn't that whole mystery shopper deal a big scam, which would con people into paying them to get "in" and have them buy items and never get reimbursed for them?

It's still a thing up here and it seems to be popular & well handled. My mom works for 'the hudson bay company' and she catches wind when a mystery shopper was through.

Francisco

Afterburst-Charlie · May 16, 2013

This does indeed sound interesting, have you proceeded to contact the appropriate persons to get these issues resolved? Is the beta-releases affected by these exploits as well?

SolusVM failure - CSRF exploit

netnub

New Member

SeriesN

Active Member

jarland

The ocean is digital

netnub

New Member

Awmusic12635

Active Member

notFound

Don't take me seriously!

shovenose

New Member

Aldryic C'boas

The Pony

bfj

New Member

Aldryic C'boas

The Pony

Coastercraze

Top Thrill

blergh

New Member

Aldryic C'boas

The Pony

bfj

New Member

bfj

New Member

Francisco

Company Lube

Afterburst-Charlie

New Member