amuck-landowner

SolusVM WHMCS Module Vulnerability

D. Strout

Resident IPv6 Proponent
Too true, that. Once a company gets big enough, they figure they don't actually have to do anything any more. Customers are guaranteed no matter what.
 

wlanboy

Content Contributer
This time the timing wasn't perfect.

He should have wait until SolusVM posted that the security review is done, everything is fixed and a new secure version can be downloaded.
 

blergh

New Member
Verified Provider
Quite frankly, if you don't understand your virtualization stack and enough about writing code to at least take a critical look at the software you are deploying, you don't need to be playing in this industry.
lol'd

It sounds like you have completely forgotten where you posted this.
 

Shados

Professional Snake Miner
Isn't this really more of a curl security bug than a SolusVM one?
That's like saying SQL injections are an SQL security bug (hint: They're not, they're an input sanitization/validation bug). Curl could use a stronger randomization/uniqueness guarantee method for it, sure, but Solus needs to be authenticating the origin of incoming requests and confirming that they do actually have enough authority to do what they're requesting. If they were, you wouldn't be able to use this to do anything more than you could already do.

In other words:

From the node perspective you should assume that your controller is just as hostile as any other box on the net and force them to speak a proper API to you.




Unfortunately not.  Capisso VMPanel, for example, is making the same exact security mistakes.  And any software that is good, like Stallion or Cloudware is not likely to be handed out like candy.
What? I thought you were handing out Cloudware like candy. Free candy!

Also, I've been reading through TortoiseLabs various repositories and related stuff, and I'm a little bit in love with you guys for your use of Xen, Python and sanity.
 

kaniini

Beware the bunny-rabbit!
Verified Provider
What? I thought you were handing out Cloudware like candy. Free candy!
Technically we are, as in, you can download the code, set it up and use it.  But to put it all together, at least, for now, you need to have an inquisitive mind and be able to put everything together yourself.

We may do more than that in the future, who knows.  On the other hand, why would I want to give an industry advantage to someone who hasn't earned it?
 

AnthonySmith

New Member
Verified Provider
Pissed off ? .... YES

Surprised ? ... Sadly ... no

My perspective as a host on all of this is as follows:

Solusvm is very hated, I have been guilty of much hate myself in the past, not of the people but the business, does that mean people should be trying to attack and destroy the business? No absolutely not.

No offence to anyone who is running their own panel but frankly I believe yours is probably much worse, this includes Stallion and Cloudware and any other one you want to name, that is being used, maintained and designed by a single host. Now let me qualify that.. everyone will jump on SolusVM for being insecure, poor support, things are broken, but the absolute undeniable truth is 99.9% of the time it is perfect for the job as the industry currently stands and it does make advances in functionality all the time.

As has been quoted SolusVM most probably pulls in half a million a year in pure profit, this is not pocket change, this is many many many times more money than even some of the bigger hosts in this scene, if anyone had a better product they would be going after this market share... in fact if anyone could do better we would not be having this conversation because someone would have already and solusvm would be thought of in the same way some of the more obscure panels are now.

This has nothing to do with "Giving and advantage" unless your company makes more than half a million profit per year with almost zero overhead in man hours or financial outlay then frankly I call BS on the legitimacy of the quality of your own product, you simply keep it secure by not allowing others to see it, writing a solusvm migration script is so simple it should not even be considered as a blocker in any panel, I have almost no coding experience but I can figure out how to nullify solusvm on any node and import the OVZ/Xen/KVM services in to other panels (Tired and tested on cloudmin) in less than an hour, I could shell script it in less than 2 hours)

I completely believe in people poking things with sticks to find holes, however I don't agree for one second with the way this is being done i.e. releasing the  details of the hole with exploit code on a public blog while showing no effort to inform the vendor, this is an attack, it is an attempt to destroy solusvm simple as that.

As much as you all seem to enjoy kicking them when they are down... let me put this to some of you,... what are you going to do if this guy wins and destroys solusvm... switch to hypervm?? haha, this guy is not just attacking solusvm, he is attacking me, he is attacking Tim, Joe, Jarland, Ash, Jack etc etc and he is attacking everyone else too that is using solusvm, and guess what... that means you too as an end user of any host that also uses solusvm, he is giving away access to your VPS and all your data.

So anyone that supports the actions of the person releasing these exploits supports the attack on my company and every other company here that uses solusvm and my advice would be gtfo of here and go and offer to keep watch for some burgers instead, I don't see you any as any different, I have said it one and I I will say it again, this sort of thing deserves 2 years in jail minimum.

What do you do when you see a shop door that has been left in an insecure state?... do you report it to the store or authorities or do you assume that this gives you the right to enter the store and fuck everything up inside it then walk away laughing because fuck them for leaving the door like that, and then do you think you will be able to blame them for what you did later?

Think about it.
 
Last edited by a moderator:

RiotSecurity

New Member
Ei bine, se pare ca SolusVM ar trebui să fie trimiterea echipelor de criză ...software în sine acum modulul ... Eu nu pot să aștept pentru a găsi un post spunând site-ul lor a fost spart viitor ...

gSOFw0o.png
 
Last edited by a moderator:

peterw

New Member
I completely believe in people poking things with sticks to find holes, however I don't agree for one second with the way this is being done i.e. releasing the details of the hole with exploit code on a public blog while showing no effort to inform the vendor, this is an attack, it is an attempt to destroy solusvm simple as that.
True words.  I hope someday the leakers will have something of worth that someone else is destroying because he is able to destory it. But I don't think that the leakers will ever build up something even worth mentioning it.
 

acd

New Member
That's like saying SQL injections are an SQL security bug (hint: They're not, they're an input sanitization/validation bug). Curl could use a stronger randomization/uniqueness guarantee method for it, sure, but Solus needs to be authenticating the origin of incoming requests and confirming that they do actually have enough authority to do what they're requesting. 
Per RFC 2046 Part 5.1. Multipart Media Type

As stated previously, each body part is preceded by a boundary
delimiter line that contains the boundary delimiter. The boundary


delimiter MUST NOT appear inside any of the encapsulated parts, on a


line by itself or as the prefix of any line. This implies that it is


crucial that the composing agent be able to choose and specify a


unique boundary parameter value that does not contain the boundary


parameter value of an enclosing multipart as a prefix.
So yes, as libcurl is the composing agent and the calling program has no knowledge of or capability to select the boundary delimiter, it is a curl bug.

Some nice bloke filed it in the curl bug list before I had the chance this morning.

That's not to say you are wrong, I wholeheartedly agree that this could and should be solved with proper input sanitization (which it seems is how they patched it).
 
Top
amuck-landowner