SolusVM WHMCS Module Vulnerability

[Jack]

I don't know why he's such a big target.  It could be because he's the biggest.... mouth...?

Nice of you to give him a heads up though

Solus Labs give me an uneasy feeling in general.   I am not in the industry, but do unfortunately end up using their product(s).  Well, until sensible hosts took their software offline.

He seems to of calmed down abit now on forums.

 

[Francisco]

Solus can afford a 6 figure salary?

I don't know

Remember, solus makes a lot of money. They aren't some operation making a few thousand a month. 99%+ of the current VPS market is "powered" by SolusVM. Chris alone was coughing them for 200 104 nodes, so $1000/m+ from him alone, Ramnode is another $500/m+, hostigation is likely the same. BurstNET uses it for their KVM offers to they're coughing at least a few hundred to them too. That's not counting the countless other VPS hosts around here that are adding smaller amounts.

I figure solus is likely in the half mill a year range.

Francisco

 

[Francisco]

He seems to of calmed down abit now on forums.

Happened last time as well. Every time he gets pants'd he calms down and becomes very down to earth.

Give it a few months, he'll forget that this all happened and be back to his usual.

Francisco

 

[jeff_lfcvps]

Isn't this really more of a curl security bug than a SolusVM one?

 

[Aldryic C'boas]

Now, if you're a typical host on here, meaning that you don't have the sufficient skills to run the business to begin with, but are able to fake it because SolusVM is good enough 75% of the time

 

It amuses me to no end how many people just walked right past that with their heads bowed, desperately trying not to make eye contact.

 

[clone1018]

Unfortunately not.  Capisso VMPanel, for example, is making the same exact security mistakes.  And any software that is good, like Stallion or Cloudware is not likely to be handed out like candy.

Which mistakes are those?

-- Actually if you'd like to PM me so we don't clutter this thread, that would be great.

 

[D. Strout]

It amuses me to no end how many people just walked right past that with their heads bowed, desperately trying not to make eye contact.

#reasonsimnotaprovider number 158

 

[kaniini]

Which mistakes are those?

-- Actually if you'd like to PM me so we don't clutter this thread, that would be great.

Your demo that you showed earlier shows the output of raw commands being run on nodes.  If you are designing things properly, you wouldn't even be thinking about running raw commands in the API layer, as I have said now ad infinitum.

From the node perspective you should assume that your controller is just as hostile as any other box on the net and force them to speak a proper API to you.

 

[GVH-Jon]

The line has been crossed, I'm tired of this. We're switching to Virtualizor.

 

[D. Strout]

Virtualizor

How have I not heard about this, and if it's a good, workable panel, why isn't everyone using/switching to it?

 

[Steven]

The line has been crossed, I'm tired of this. We're switching to Virtualizor.

As you are switching to Virtualizor, are you sure similar security holes do not exist there?

It is very important to note that on virtualizor, most of the web facing php runs as ROOT.

 

[kaniini]

How have I not heard about this, and if it's a good, workable panel, why isn't everyone using/switching to it?

Because it is somehow even more of a disaster than SolusVM.  Which is amazing, because SolusVM is pretty bad...

 

[D. Strout]

Because it is somehow even more of a disaster than SolusVM.  Which is amazing, because SolusVM is pretty bad...

That explains it. It's not

a good, workable panel

 

 

[GVH-Jon]

Okay, no Virtualizor then. OnApp.

 

[GVH-Jon]

UPDATE FROM SOLUSVM: A PATCH FOR THE SOLUSVM WHMCS MODULE WILL BE AVAILABLE WITHIN A FEW MINUTES.

Direct Quote:

Hi,

Yes, We are aware of this and working on this. Patch will be ready within a few minutes.

I would suggest to disable the API from solusvm until our senior admin confirmation about the patch.

Thanks

--
Kind Regards,
Rajesh - SolusLabs Support Team

 

[perennate]

@GVH-Jon someone got the exact same response two hours ago, so I wouldn't count on it

 

[concerto49]

@GVH-Jon someone got the exact same response two hours ago, so I wouldn't count on it

Yes, we did too. Now they say shortly.

 

[drmike]

What I posted earlier was from SolusLab's own support site/forum.  At that point (2009?)  SolusLabs seemed microscopic.  Two nerds and a secretary.

Does anyone know how big or small SolusLabs these days is?  I suspect, not very big.

Asking the founders/authors to audit their own work is like getting two parents to admit they have an ugly child.   Internal audits are notoriously laughable when it comes to security and software.

Totally possible the authors are unaware of these hack methods/not their cup of tea. Nothing wrong with that per se.  But they should get to offering bounty money and bring in a PHP person with more advanced knowledge/proficiency in PHP security.

 

[perennate]

Does anyone know how big or small SolusLabs these days is?

Probably they dropped the secretary.

 

[DaringHost]

It looks like shortly is taking longer than expected  opcorn: