Shortly in Solus time is like 2 years....It looks like shortly is taking longer than expectedopcorn:
SolusVM WHMCS Module Vulnerability
- Thread starter weservit
- Start date
Shados
Professional Snake Miner
That's like saying SQL injections are an SQL security bug (hint: They're not, they're an input sanitization/validation bug). Curl could use a stronger randomization/uniqueness guarantee method for it, sure, but Solus needs to be authenticating the origin of incoming requests and confirming that they do actually have enough authority to do what they're requesting. If they were, you wouldn't be able to use this to do anything more than you could already do.
In other words:
What? I thought you were handing out Cloudware like candy. Free candy!
Also, I've been reading through TortoiseLabs various repositories and related stuff, and I'm a little bit in love with you guys for your use of Xen, Python and sanity.
Technically we are, as in, you can download the code, set it up and use it. But to put it all together, at least, for now, you need to have an inquisitive mind and be able to put everything together yourself.
We may do more than that in the future, who knows. On the other hand, why would I want to give an industry advantage to someone who hasn't earned it?
Pissed off ? .... YES
Surprised ? ... Sadly ... no
My perspective as a host on all of this is as follows:
Solusvm is very hated, I have been guilty of much hate myself in the past, not of the people but the business, does that mean people should be trying to attack and destroy the business? No absolutely not.
No offence to anyone who is running their own panel but frankly I believe yours is probably much worse, this includes Stallion and Cloudware and any other one you want to name, that is being used, maintained and designed by a single host. Now let me qualify that.. everyone will jump on SolusVM for being insecure, poor support, things are broken, but the absolute undeniable truth is 99.9% of the time it is perfect for the job as the industry currently stands and it does make advances in functionality all the time.
As has been quoted SolusVM most probably pulls in half a million a year in pure profit, this is not pocket change, this is many many many times more money than even some of the bigger hosts in this scene, if anyone had a better product they would be going after this market share... in fact if anyone could do better we would not be having this conversation because someone would have already and solusvm would be thought of in the same way some of the more obscure panels are now.
This has nothing to do with "Giving and advantage" unless your company makes more than half a million profit per year with almost zero overhead in man hours or financial outlay then frankly I call BS on the legitimacy of the quality of your own product, you simply keep it secure by not allowing others to see it, writing a solusvm migration script is so simple it should not even be considered as a blocker in any panel, I have almost no coding experience but I can figure out how to nullify solusvm on any node and import the OVZ/Xen/KVM services in to other panels (Tired and tested on cloudmin) in less than an hour, I could shell script it in less than 2 hours)
I completely believe in people poking things with sticks to find holes, however I don't agree for one second with the way this is being done i.e. releasing the details of the hole with exploit code on a public blog while showing no effort to inform the vendor, this is an attack, it is an attempt to destroy solusvm simple as that.
As much as you all seem to enjoy kicking them when they are down... let me put this to some of you,... what are you going to do if this guy wins and destroys solusvm... switch to hypervm?? haha, this guy is not just attacking solusvm, he is attacking me, he is attacking Tim, Joe, Jarland, Ash, Jack etc etc and he is attacking everyone else too that is using solusvm, and guess what... that means you too as an end user of any host that also uses solusvm, he is giving away access to your VPS and all your data.
So anyone that supports the actions of the person releasing these exploits supports the attack on my company and every other company here that uses solusvm and my advice would be gtfo of here and go and offer to keep watch for some burgers instead, I don't see you any as any different, I have said it one and I I will say it again, this sort of thing deserves 2 years in jail minimum.
What do you do when you see a shop door that has been left in an insecure state?... do you report it to the store or authorities or do you assume that this gives you the right to enter the store and fuck everything up inside it then walk away laughing because fuck them for leaving the door like that, and then do you think you will be able to blame them for what you did later?
Think about it.
Surprised ? ... Sadly ... no
My perspective as a host on all of this is as follows:
Solusvm is very hated, I have been guilty of much hate myself in the past, not of the people but the business, does that mean people should be trying to attack and destroy the business? No absolutely not.
No offence to anyone who is running their own panel but frankly I believe yours is probably much worse, this includes Stallion and Cloudware and any other one you want to name, that is being used, maintained and designed by a single host. Now let me qualify that.. everyone will jump on SolusVM for being insecure, poor support, things are broken, but the absolute undeniable truth is 99.9% of the time it is perfect for the job as the industry currently stands and it does make advances in functionality all the time.
As has been quoted SolusVM most probably pulls in half a million a year in pure profit, this is not pocket change, this is many many many times more money than even some of the bigger hosts in this scene, if anyone had a better product they would be going after this market share... in fact if anyone could do better we would not be having this conversation because someone would have already and solusvm would be thought of in the same way some of the more obscure panels are now.
This has nothing to do with "Giving and advantage" unless your company makes more than half a million profit per year with almost zero overhead in man hours or financial outlay then frankly I call BS on the legitimacy of the quality of your own product, you simply keep it secure by not allowing others to see it, writing a solusvm migration script is so simple it should not even be considered as a blocker in any panel, I have almost no coding experience but I can figure out how to nullify solusvm on any node and import the OVZ/Xen/KVM services in to other panels (Tired and tested on cloudmin) in less than an hour, I could shell script it in less than 2 hours)
I completely believe in people poking things with sticks to find holes, however I don't agree for one second with the way this is being done i.e. releasing the details of the hole with exploit code on a public blog while showing no effort to inform the vendor, this is an attack, it is an attempt to destroy solusvm simple as that.
As much as you all seem to enjoy kicking them when they are down... let me put this to some of you,... what are you going to do if this guy wins and destroys solusvm... switch to hypervm?? haha, this guy is not just attacking solusvm, he is attacking me, he is attacking Tim, Joe, Jarland, Ash, Jack etc etc and he is attacking everyone else too that is using solusvm, and guess what... that means you too as an end user of any host that also uses solusvm, he is giving away access to your VPS and all your data.
So anyone that supports the actions of the person releasing these exploits supports the attack on my company and every other company here that uses solusvm and my advice would be gtfo of here and go and offer to keep watch for some burgers instead, I don't see you any as any different, I have said it one and I I will say it again, this sort of thing deserves 2 years in jail minimum.
What do you do when you see a shop door that has been left in an insecure state?... do you report it to the store or authorities or do you assume that this gives you the right to enter the store and fuck everything up inside it then walk away laughing because fuck them for leaving the door like that, and then do you think you will be able to blame them for what you did later?
Think about it.
Last edited by a moderator:
RiotSecurity
New Member
Ei bine, se pare ca SolusVM ar trebui să fie trimiterea echipelor de criză ...software în sine acum modulul ... Eu nu pot să aștept pentru a găsi un post spunând site-ul lor a fost spart viitor ...
Last edited by a moderator:
peterw
New Member
True words. I hope someday the leakers will have something of worth that someone else is destroying because he is able to destory it. But I don't think that the leakers will ever build up something even worth mentioning it.
acd
New Member
Per RFC 2046 Part 5.1. Multipart Media Type
So yes, as libcurl is the composing agent and the calling program has no knowledge of or capability to select the boundary delimiter, it is a curl bug.
Some nice bloke filed it in the curl bug list before I had the chance this morning.
That's not to say you are wrong, I wholeheartedly agree that this could and should be solved with proper input sanitization (which it seems is how they patched it).