.

[Edited by teck on 09-25-2000 at 01:29 PM]

Maybe they are increasing their prices because they can't afford to fix it. hehe

All joking aside I am absolutely amazed that this has happened. That is one of their big selling points. Security

Nope. Doesn't work on any of ours. I've noticed that all you get when you don't enter a username/password combo, on this or when requesting the cp through a browser, is a blank screen, which is all the above brings up for us.

I just tested and got the same results, blank screen and no harm done.

Just for kicks, I tried it again, using the nameserver IP directly, with no results. Nothing on the to-do list, nothing in the logs. It's like it never happened. Which it didn't. :)

did you try fixing the link. i broke it on purpose.

Like I said, if you tried it on a resold account, most likely, it will work. Alabanza even acknowledged the problem.

Not to pick on anyone, but I chose deleted as an example. Lets see my output:

Name Server Manager
Name Server Information:
Primary Name Server: NS.
Primary IP Address: 64.176.
Secondary Name Server: NS2.
Secondary IP Address: 64.176.
akashik.net [View] [Edit] [Delete]

To setup DNS for a domain, please click here

Notice a problem agaisnt your resold domains?

[Edited by teck on 09-25-2000 at 01:31 PM]

If that data passed as GET on the url (teck) is usually passed as POST, then Alabanza should be able to fix it temporarily at the very least... else they should think of adding a user security on every script instead of using only 1 safe gateway.

Ahhh... when people will ever learn to code SAFELY. Bad and worst stuff can be done so easily with so many scripts.

Either way, it's a major hole. Let's say akashik was hosting 20 domains. I can just delete them all. I can even add my domain to his ns's. This is not something that should be taken lightly. Who knows what other holes are in their control panel.

Lets remember that the goal once a security hole is found... is not to destroy the product and exploit it, but to FIX it. So once you find out somethign wrong, you must also figure out how to fix it, else you merely are a cracker and will never be appreciated.

Take the time to find a solution, mail Alabanza with it and most likely they will fix it. If they don't... well

Welcome Alaban$soft to the world of companies that don't care unless it pays.

Let's also remember that it isn't my responsibility to fix it. You make it sound like it was my fault. I emailed Alabanza on the 14th. It't not a matter of them fixing or not. They HAVE to fix it. So basically me finding this hole is making me a cracker and I will not be appreciated? I thought by making this public, I would be appreciated and people would push Alabanza to get this fixed asap.

Part of the problem is that you announced it in a wide-open, widely read forum. Not particularly appreciated by people who have now had malicious individuals exploit this, and inappropriate given the sheer number of Alabanza-based hosts who congregate here and whose information is now open to those malicious individuals. Many people (myself included) would appreciate it if the original message was edited or removed outright and either posted to a private forum or emailed to Alabanza-based hosts that might be affected by it.

Annette, the bug was also emailed on BugTraQ.

One of the reasons I posted it was because Alabanza took so long to get a fix out for the exploit. I contacted them on the 14th and nothing has been done since them. I believe by making this known, some of you would contact them and speed them up. As far as abusing this, I have deleted parts of the URL to prevent it from being abused. If you are a Alabanza reseller/host, you can easily fix it and see for yourself.

kunal: yes, and according to teck, rejected by bugtraq ("think is was denied"). I haven't checked bugtraq to see if was ever accepted. Teck says he trusts no one will abuse this, which is foolish. The first thing some people will do is abuse this type of information.

Is it a severe problem? Yes, for certain reseller accounts.

teck: What you have done is allow anyone who is currently or was previously a customer of Alabanza or an Alabanza host and who knows the format of that command (=lots of people) to gain access to those accounts affected by this bug. Again, it's inappropriate to post it so explicitly in this manner, instead of a more general manner, knowing the number of people here whose systems might be compromised. It would have been better had a more general post been made indicating that you had found a problem with this action and inviting Alabanza hosts to email you, or if you had posted it in an area not visible to casual surfers. The way to get people to contact Alabanza is before their systems are attacked like this, not by inviting everybody and their brother to give it a whirl on the Alabanza reseller of their choice. In addition, you've posted the akashik information in this thread, thus inviting anyone to try it with that specific domain. Do you honestly not see the problem here? You are creating issues that must be cleaned up by resellers and hosts who are affected by this exploit should someone abuse it, which is infinitely worse than waiting a bit longer for Alabanza to address it or asking others to contact Alabanza as well.

I have to agree with Annette.

Sure Alabanza needs to be made aware of the "hole" but posting the instructions on the board was not needed.

Hehe, being the semi-rookie I am, I went to other of my host's clients, corrected the url and sure enough!!! BAM!!

Needless to say I fired off an email to my host pointing them to this thread.

<edit>And yes it was accepted at BugTraq
You type too fast Annette ;)</edit>

Stan

[Edited by Stan on 09-25-2000 at 01:45 PM]

So basically...everyone who ever released an exploit for pam(linux) and ddos scripts should have emailed everyone inviting them to email him for information regarding this. this is unacceptable. Considering the size of Alabanza, this problem should have been fixed within a day I have emailed them. Even when a minor bug arises from a program created by software companies, a security advisory as well as a patch is written up within hours at most a day.

As for my example, I'm sincerely sorry for using him as an example. You can try a lot of different hosts on this board and still come up with the same results.

If I pissed anyone off by posting this, I'm sorry. That was not my intention. I wanted to merely give everyone a heads up on what can be a dangerous bug. I'll keep further findings to myself then.

Hi Teck,

Annette has an "Alabanza forum" which I believe is for Alabanza hosts only and cannot be viewed by others.

The forum is located here
http://www.hostcoalition.org./forum/index.php3

The next time you have news which is Alabanza related and not for the end users, could you please register and post it there?

I would like to know of any news too, and that would probably be the best place to discuss it...I do know how you feel, and I do appreciate you giving us the news :)

Teck, it is not a matter of pissing people off, nor is it a matter of keeping such exploits to yourself. It is also not exactly the same thing as the other examples you've mentioned. Yes, people need to know these things. Yes, it is serious. No, posting the entire string, with only a little modification, was not appropriate. The readers of this forum are a vastly different bunch (for the most part) than the readers of Bugtraq, or linux forums where kernel problems or module insecurities are addressed. Those users tend to test these things on their own testbed or lab machines. With the traffic that goes through this place, and the types of people that pass through here, it's almost a given that one of them, who may very well be pissed at an Alabanza-based host, will use what you've posted to create havoc. Again, a more appropriate forum would have been a private one.

However, Alabanza is releasing upgrades to their DSM/CP tomorrow. Don't you think it would have been prudent to wait until after that upgrade to test this exploit again - if only to see if they've taken it to heart? If they haven't, then a general rant about how they ignore serious issues like this would have been welcomed by people. Posting the ABCs of how to do it is not, especially by the people who have to go around and sweep up the droppings of the idiots who intentionally mess with peoples' accounts.

Greg, thanks for the url. I did not know it existed. I would have done it there if I knew about it previously.

Aneette, How was I supposed to know they were supposed to have a update to their DSM/CP tomorrow. I'm not in everyone's business knowing when a update would be released. Given a week and a couple of days was enough to provide a fix. Do you think concentric/verio would let a hole like this be open for more than a day, I think not.

Whats happening to Alabanza all I hear anymore is about problems with them, a month ago all you would hear is good things about them.

Well, first law of physics, and the most important one!! "Everything that goes up, has to come down"!

Teck, from your post it is apparent that you somehow gained access to the command string that is used by resellers to add/remove domains from the virtual nameservers. So either you are a client of Alabanza, and did not get the upgrade notice they had sent out, or you are a reseller, and your host did not tell you, or you are simply fooling around with the command to see what can be done with it, in which case I have to wonder why you're trying to crack Alabanza's controls. No matter the case, if you had initially posted a more general case, someone would have been delighted to tell you that upgrades were on the way, and perhaps you could have waited until after that time to test it again. Instead, you chose to spell out the exact command needed to gain access, and to use akashik as a very specific example, thus simply encouraging some of the little pests that hang out here to indulge themselves. Having spent the entire morning cleaning up after one such pest, let me tell you that I am not pleased at all that you took the route you did.

It does not matter at all what Concentric or Verio would have done. Contact with Alabanza, perhaps a followup, perhaps a general post to the population here would have been worlds better than this. At this time, the virtual nameserver function has been disabled for resellers. This was not entirely necessary - it only became so because the command string is posted here for the world to see. Now we get to see the flip side of this issue: resellers contacting their hosts because the function does not work. Believe me, there are many more of these types of contacts at this moment than there are people who would have been able to exploit that hole in the first place, had it not been pointed out for them.

[Edited by Annette on 09-25-2000 at 02:57 PM]

This functionality is going to be temporarily unavailable
Sorry of the inconvenience.

Good, this is what should have been done a week ago. As for what I did, If you are not pleased, sorry for being harsh but tough. A lot of people would have thanked me for making the public aware of this hole. Also, a lot of other people would flame me. Either way, I don't care. The end result is what I wanted to see, the NS manager being disabled and a fix to be worked on...which should have happened a week ago, not a week and a half later when a "upgrade" was supposed to come out.

Let's see: so you don't care about the major inconvenience that you've caused quite a few people because you were irritated that Alabanza didn't get cracking on this according to your schedule. And because you were irritated that they didn't fix this according to your schedule, you decided that it would simply be in everyone's best interest to post the exact steps needed to exploit the hole ("trusting" that no one would abuse it) when there are very few people who would have been able to find it on their own, and when you know that the audience here is not the same type of audience at the bug list fora. Thanks for clearing that up for us.

(Please note that my reaction to all of this would be the same if you had posted this sort of thing for another host's controls as well.)

[Edited by Annette on 09-25-2000 at 04:08 PM]

I agree Annette,

All hell is breaking loose over here.
No estimate of when the VNS system will be back up.
Posting the issue in public was not doing a service to anyone!

Gordon

Here I sit just signed up for my reseller account today (yes I did it :blush: ) and now I cant start reselling because the VNS's are not working, not because I dont want people to know Im a reseller but because I dont want to move everyone ...Im willing to wait ...but I think this could have been done differently:(

Dana, I have the same problem.

Teck,

I'm with Annette. A simple message that said in effect:

"I have found that there is a security problem with the VNS system of Alabanza'a control panel. This issue will allow anyone with knowledge of the cp to delete the accounts of resellers.... I notified Alabanze 1 week ago with no response..... Contact me for further information."

would have sufficed. But instead you have punished those that use Alabanza's service. Do you really think that this has hurt Alabanza, no it has caused headaches for Alabanza based hosts and thier resellers. Thanks!!

Marty

Originally posted by teck


Name Server Manager
Name Server Information:
Primary Name Server: NS.
Primary IP Address: 64.176.
Secondary Name Server: NS2.
Secondary IP Address: 64.176.
akashik.net [View] [Edit] [Delete]

[Edited by teck on 09-25-2000 at 01:31 PM]

Dear customer,

Thankyou for choosing akashik.net to serve your needs. We aim to provide the best security holes and hacking doorways in the business. Our patented 'greasy soup' system is provided at no extra expense to you to aid the slipping in and then out, deleting our business at will.

Best Regards,

the akashik.net team.

Now, on a more serious note. I've just been informed this in no longer an issue and has been rectified. Domains at akashik.net are secure. While it is appreciated that violitions of the security of this domain are made note of so they can be corrected, an open post about it is far from not. You may not *understand* why people are jumping all over you right now, but some milk and cookies and a quiet lie down may help your insight into this.

Pretend for a minute this was YOUR business someone decided to use as an example. You're busting your ass everyday to make a buck and support your family, building something day by day to create an income that feeds not only yourself, but fiance and one year old daughter.

Next some 'smarmy' ******* shows up who seems to think applying to the correct channels isn't good enough for him, but needs instant satisfaction to his problem, so posts openly to a forum read by thousands, quoting a single domain in his example - effectively giving the keys to anyone who reads it open access to the system. In doing so, ALSO places questions in people's minds as to whether they should do business with akashik.net in light of your post. While the issue is relevant to all accounts through an Alabanza system people will lend a bias towards this particular case.

Should it ever come to light that this post has affected my income, I'm more than happy to place a call to a lawyer in the states (where I presume you reside). He's about 300pds, 6'4", and looks like the Reaper himself. (had a role in the movie 'Shower Of Blood' too apparently if you want to check this.) He also loves to destroy people in court and enjoys other people pain. Also besides physically being able to 'tear you a new one' he's very good at what he does.

Now with all that, hopefully you have a slightly wider viewpoint on why it's bad to cite specific examples to security issues. Again to reiterate what I said in the beginning it's great you found a hole and pointed it out, as it's something that concerns Alabanza hosts worldwide. What is poor is the execution of your post and your particular use of our domain. (try using asterix's next time huh?). I am sure that anyone reading this thread will understand it doesn't affect us anymore and that it is/was never something directly responsible of akashik.net, and that it shouldn't cloud their decision to select the services offered by us. (I'd go on, but it's starting to feel like an ad).

I feel more for Annette and Stephanie in this instance as from her posts and emails to me they've gone through hell and back to make sure it's a non-issue.

Lets both hope you never get to meet me in an alleyway some day as I am pretty pissed about it all. Your saving grace is it has now proved unfounded as things are 'peachy keen' again.

Well that was pretty long and I feel better.

Greg Moore
http://www.akashik.net

Oh, any reason you choose me in particular?

*just read my post back to myself now I've had a coffee*

Gosh that did sound grumpy. Rest assured loyal viewers, I'm feeling a lot better now, and am ready to regail all with tales of mirth and vigor (if only I had some onhand *lol*).

Back to business.

Greg Moore
http://www.akashik.net

Greg,

I think most of us understand your anger. It was bad enough when I saw the actual command strings posted, but when I saw the example, my first thought was, uh oh. I don't blame you for your anger, but I must say I prefer the mirth and vigor. :)

Marty

Mirth and vigor, Greg! Hey, any publicity is good publicity, right?

Just trying to put a positive spin on this.

Originally posted by alchiba
Mirth and vigor, Greg! Hey, any publicity is good publicity, right?

Just trying to put a positive spin on this.

*lol* well that's true and said as much to someone else earlier tonight :) Shame it didn't happen *after* I get the hosting thing set up for the general audience. *smile*

Greg Moore
http://www.akashik.net

Wow Tech, I'm sure you learned your lesson. I made the same mistake once. I know exactly how you feel right now, Trust me. Your mistake wasn't in telling everyone, I appreciate the work you've done to find the hole. People just don't want instructions on how to exploit their livelihoods. It ruffles them a bit.

There must be proper channels to disceminate this information. I think that there should be a members only user group for top level and resellers. I don't know how we could verify their status (any suggestions from the more experienced users?). For those who don't wish to join, good for you.

Of course there are those who don't see the value of it, but I own another business that works quite a bit with my competition and even hires them to do the overflow. I know what the benifits of friendly competition are. From what I've read on these boards, everyone is pretty friendly.

I'll take the bold step here in starting this very exclusive club. If you're interested, send email with suggestions on how you'd like to see it run, what you'd like to get from it. It may just start out as an email list or something, and it may just be a bunch of people in the same business who make friends and support each other when a bug is found.

One of the obvious benifits is to become the 300 lb. gorilla in Alabanzas front room.

Interested parties can write me at AlaClub@ez2ba.com
(Info will be kept confidential but if you want anonimity use a hotmail account)

"People just don't want instructions on how to exploit their livelihoods. It ruffles them a bit."

No, what ruffles people is when exact instructions are spelled out in a forum such as this, instead of in a private setting or at a bug list forum. As has been pointed out, it is NOT the fact that the hole was found. It is the METHOD chosen to present the information (and that method seems only to have been chosen in a fit of pique that Alabanza wasn't keeping some sort of schedule known only to teck). Significant damage has been done (although not to everyone) by teck posting that method here instead of using some other way of putting the information out there. It's nice that he has deleted the original how-to, but it's a bit late for that, given the number of views that the thread has had. Like ignoring a fire until it becomes an inferno and then trying to put it out with a garden hose, this issue has created a lot of grief - not necessarily for Alabanza (although they share some of the responsibility for this), but for hosts who were affected by someone who thought it would be "cool" to try this exploit and then who were put into the position of explaining what went wrong to their users.

And here was a small lesson given by Anette and Akashik...
Anyone has any questions?

Oh... do code safely in the future.

Originally posted by Félix C.Courtemanche
And here was a small lesson given by Anette and Akashik...
Anyone has any questions?

Oh... do code safely in the future.

*pokes Felix in the ribs*

wasn't my coding! :) It appears to be a general fault right at the top from what I understand, which an update to the system repaired. As I said in my <rant> it would have been nice if Teck had decided to use some <*****>'s here and there, or at least decided to pick some other domain out of the hat.

Still, it does feel kinda nice to be the center of attention. *lol*

*hand to forehead in mock extasy*
Come, children.... come bathe in my light.

Greg Moore
http://www.akashik.net

I don't think Felix was trying to say that the coding issue was ours, as it certainly wasn't - rather that the salient point about people needing to think very carefully before they post something that has these types of implications has been made.

My gosh Annette, let it go. Every one of your comments is a repremand. Move on. We can't unring that bell.

We ALL agree this is a serious matter.

Originally posted by Annette
At this time, the virtual nameserver function has been disabled for resellers. This was not entirely necessary - it only became so because the command string is posted here for the world to see.

There are plusses and minuses to how security issues are handled. Posting the string to the world may have caused a short term inconvenience but it caused Alabanza to hastily come up with fixes to the problem. Which they should have done in the first place. Tech mentioned they had a week and a half notice. So the long term gain is all resellers are now safe.

My belief is security by obscurity is not a good approach. So exposing the problem to the world caused fast action.

My point is we do not know how many other malicious people knew of the crack and were secretely causing havock without anyones knowledge. Now that the "world" knows about it a fix is fast coming (or as you mentioned about to be released)

(I agree that a super specific example may have pushed the envelope ;) )

later

David

Give it a rest, Arf. I was just pointing out to Greg that Felix might not have meant what he thought, that's all. You want to read more into it than that, feel free.

<edit>Longer post addressing a couple of issues snipped, since apparently it's all "reprimands" or something. Will be sent to the group instead.</edit>



[Edited by Annette on 09-26-2000 at 01:43 PM]

Ok Annette, we get it.. You're pissed, we know. Enough already. Shut up, and leave it alone. Will someone delete this damned post before this bitch can post again.

Sysadmin - that last post was correct in one aspect.... time to lock it up and/or delete it....

I think everyone seems to be getting a little hot under the collar and chasing the warm fuzzies away :)

Greg Moore
http://www.akashik.net

So we can miss such brilliant repartee such as that? Aw, Greg, come on - no fun at all. :)

Name callig is not the way to go ;(

Disagreement is the heathly part of a discussion ...

David

Oh Cmon people, everyone is entitled to post their opinions, lets ALL chill out and end this thread.