amuck-landowner

WHMCS - Horrific Cleaning of variables leaves multiple zero-day possibilities

XFS_Duke

XFS_Duke

XFuse Solutions, LLC
Verified Provider
jarland said:
You're playing with fire.
Click to expand...
Why you say that? Because I'm not just gonna let this slide? Because I am trying to help the community and not just myself? Listen, the SolusVM thing could of been prevented... I know that SolusVM can patch their issues but I'm more worried now about credit card and other info that may be stored in some of the bigger companies databases... Image the possibilities for anyone who gets this exploit... Wouldn't you rather work on getting it fixed rather than bashing the person who figured it out?

But, feel free to send me a PM as to why you think I'm playing with fire...

Thanks.
 
L

lulzsecurity

New Member
Jarland, how is he playing with fire? I'm interested to see your reply.

From my point of view, I just intended to release it without contacting WHMCS honestly, but after talking to XFS_Duke I agreed to notify them at-least before.
 
Nick_A

Nick_A

Provider of the year (2014)
XFS_Duke said:
How about we don't try and bash the guy... Lets listen and try and help instead of being assholes to the person thats trying to get them to fix their mistakes... Just an idea...
Click to expand...
Perfectly willing to listen and help, but someone here needs to acknowledge that this could take a large chunk out of a host's revenue if people are going around posting exploits publicly. I'm not sure how caring about my revenue makes me an asshole. Personally, I prefer exploits to be handled discretely. He acts like he has a personal vendetta against WHMCS, and I'd really like to know why. Does it really hurt him if WHMCS doesn't fix a mistake? Maybe he has some good justification for what's doing, but I haven't seen anything but attention whoring. This thread has only been up for 1.5 hours and he's already said 3 times he is going to post some vulnerability publicly. Sounds like he'd prefer it if WHMCS does nothing.
 
jarland

jarland

The ocean is digital
XFS_Duke said:
Why you say that? Because I'm not just gonna let this slide? Because I am trying to help the community and not just myself? Listen, the SolusVM thing could of been prevented... I know that SolusVM can patch their issues but I'm more worried now about credit card and other info that may be stored in some of the bigger companies databases... Image the possibilities for anyone who gets this exploit... Wouldn't you rather work on getting it fixed rather than bashing the person who figured it out?

But, feel free to send me a PM as to why you think I'm playing with fire...

Thanks.
Click to expand...
Because you're working with Curtis Gervais who is butt hurt over his own bad deeds in the industry and desires nothing more than to cause chaos.
 
L

lulzsecurity

New Member
jarland, I don't see any proof to backup your statement on my real identity. All I see right now is someone jumping to conclusions.
 
XFS_Duke

XFS_Duke

XFuse Solutions, LLC
Verified Provider
jarland said:
Because you're working with ****** who is butt hurt over his own bad deeds in the industry and desires nothing more than to cause chaos.
Click to expand...
Not working with him... Trying to make sure everything gets resolved without anymore websites getting attacked... Simple as that... But by all means... If he releases it, and your site gets hacked... Don't blame me... I've done everything I could... From contacting WHMCS, Hostbill and SolusVM...
 
Last edited by a moderator:
D. Strout

D. Strout

Resident IPv6 Proponent
For goodness sakes... MannDude or mods, check the IPs of this exploit-threatening clown and see if they match up with netnub.

Even if you're not Curtis G, you really shouldn't just go throwing 0-days around. It shouldn't take the mind of a rocket scientist to see how that's a bad idea.
 
Last edited by a moderator:
L

lulzsecurity

New Member
I'm pretty sure newbie programs could do better then WHMCS right now....

global $CONFIG;

global $PHP_SELF;

global $remote_ip;

 

 

$PHP_SELF = $_SERVER['PHP_SELF'];

$this->remote_ip = $this->get_user_ip(  );

$remote_ip = $this->load_config_vars(  );

$CONFIG = $this->load_input(  );
 
KuJoe

KuJoe

Well-Known Member
Verified Provider
lulzsecurity said:
@jarland I still see no proof to backup that statement.
Click to expand...
XFS_Duke confirmed it in one of his posts. Just pointing that out so we can get back on target because who you are doesn't matter IMO.
 
Last edited by a moderator:
KuJoe

KuJoe

Well-Known Member
Verified Provider
jarland said:
Because you're working with Curtis Gervais who is butt hurt over his own bad deeds in the industry and desires nothing more than to cause chaos.
Click to expand...
XFS_Duke said:
Not working with him... Trying to make sure everything gets resolved without anymore websites getting attacked... Simple as that... But by all means... If he releases it, and your site gets hacked... Don't blame me... I've done everything I could... From contacting WHMCS, Hostbill and SolusVM...
Click to expand...
He is implying that he is not working with you but trying to prevent you from releasing more exploits publicly. The pronoun "him" in "Not working with him..." and "he" in "if he releases it" is used in place of the noun that jarland provided "Curtis Gervais".
 
L

lulzsecurity

New Member
There is nothing implyed there. From what I see there is he states he is not affiliated with the person in any way/shape/form and doesn't confirm or deny the identity of this set person. As XFS-Duke confirms is that is a Male by using "he".
 
jarland

jarland

The ocean is digital
KuJoe said:
He is implying that he is not working with you but trying to prevent you from releasing more exploits publicly. The pronoun "him" in "Not working with him..." and "he" in "if he releases it" is used in place of the noun that jarland provided "Curtis Gervais".
Click to expand...
I'm just tired of it. We all know it's a good thing that people be held accountable for their code, but in the meantime some of us would just like a little rest instead of this constant knight in shining armor routine.
 
MCH-Phil

MCH-Phil

New Member
Verified Provider
It's all about attention, otherwise he or she would have just contacted the developer and quietly let them fix it.  

Let's break this down and be honest here.  You have provided no way to fix the issue.  Nor even a way to mitigate the issue until WHMCS can fix their screw up.  You really haven't provided even enough information for seasoned people to resolve it on their own in a timely fashion.  

It's all I know something, is broke, and you don't.  I contacted the developer and if they don't fix it, I'll make sure it can be used against you.

So what was the point of this?  Attention.  Plain and simple.

Go outside and play while you still can.  One of the people you piss off one day will surely make sure you don't see the light of day for a while.
 
Last edited by a moderator:
L

lulzsecurity

New Member
MCH-Phil said:
It's all about attention, otherwise he or she would have just contacted the developer and quietly let them fix it.  

Let's break this down and be honest here.  You have provided no way to fix the issue.  Nor even a way to mitigate the issue until WHMCS can fix their screw up.  You really haven't provided even enough information for seasoned people to resolve it on their own in a timely fashion.  

It's all I know something, is broke, and you don't.  I contacted the developer and if they don't fix it, I'll make sure it can be used against you.

So what was the point of this?  Attention.  Plain and simple.

Go outside and play while you still can.  One of the people you piss off one day will surely make sure you don't see the light of day for a while.
Click to expand...
Not about attention, just warning. If they don't fix it, then you can't say no one warned you about the vulnerabilities...

A patch to fix this will be given to verified providers via private message on request along with all changes made to file documented.
 
Last edited by a moderator:
MannDude

MannDude

Just a dude
vpsBoard Founder
Moderator
D. Strout said:
For goodness sakes... MannDude or mods, check the IPs of this exploit-threatening clown and see if they match up with netnub.

Even if you're not Curtis G, you really shouldn't just go throwing 0-days around. It shouldn't take the mind of a rocket scientist to see how that's a bad idea.
Click to expand...
Sorry, was making food and then eating it. Checkign it all out now.

EDIT: A quick look at the IP log, 'lulzsecurity' and 'netnub' don't share any IP addresses. Then again, most of us here probably have a VPN or (multiple) and know what Tor is and how to use it. It's not entirely helpful banning by IP.
 
Last edited by a moderator:
upsetcvps

upsetcvps

New Member
lulz is doing nothing wrong here.  Would you rather he say nothing and others exploit?  He's forcing wmhcs' hand to pay attention and patch.  The ball is in their court.
 
You must log in or register to reply here.
Top
amuck-landowner