Page 1 of 21 123411 ... LastLast
Results 1 to 25 of 508
  1. #1
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072

    Zamfoo Critical Security Vulnerabilities - They Don't Seem To Care...

    We reported two critical security vulnerabilities to Zamfoo approximately two weeks ago and they have not yet issued a patch and/or appear to even be working on it! I bumped them today looking for an update to which they replied:

    Not at this time. They are in queue to be worked on.
    To put the two security flaws into perspective, anyone running Zamfoo right is at risk of having their servers rooted in literally a matter of seconds. The notion that Zamfoo isn't taking these security flaws serious is insulting to the community and therefor, per our internal policy, we will be issuing a working proof of concept within 24 hours from now that will allow anyone to gain root access.

    Pardon the caps, the bold and the red, but I need to make this very clear to everyone running Zamfoo because you are going to be at an insane risk come tomorrow:

    UNINSTALL THE SOFTWARE RIGHT NOW.

    We cannot help companies that do not want to be helped and unfortunately in some cases, our only course of action is to release a working proof of concept in hopes of forcing them to get off their ass and do the right thing.

    The clock starts now...

  2. #2
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072
    So the owner emails us:

    Well. No offense. We don't take kindly to threats and quite honestly, I do not know why you think you need or want to be the police.

    We don't work under your timelines.

    So unless you plan to not use our software ever again permanantly, get one thing straight. You publish a vulnerability your done forever. You threaten us again and your done forever.

    Period.

    We said we will fix it...and we will, but you are not going dictate under the circumstances by which it gets done. And when it is done, it will be done properly.

    Period.

    Kevin
    To which we email him:

    Kevin,

    We don't need your crappy software, you can keep the license.

    In the last month we have found approximately 50 exploits in every control panel and pretty much every well known plugin. I can count on one hand how many developers wanted to be difficult or frankly didn't care about their customers security and I will add you to that list.

    It's been over two weeks and here we are, you haven't even started work on a patch which is extremely unacceptable to your customers. You are a shining example of what is wrong with our industry and I hope you hang your head in shame for putting your customers at risk.

    http://www.webhostingtalk.com/showthread.php?t=1275572

    You got 24 hours. Period.

    Patrick
    I always find it rather amusing when companies don't care about their customers security by taking two+ weeks to start work on a patch.

  3. #3
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    ::facedesk::

    These exploits are extremely easy to do. Its foolish not to jump on and fix them.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  4. #4
    Join Date
    Jan 2008
    Location
    Portugal
    Posts
    1,021
    2 weeks to fix their own software?

    You've been doing the research for free, they should pay you, not threat you.
    Senior System Administrator / DevOp - LinkedIn / MailChannels Director of Sales, Europe
    MyW - Shared/Reseller Hosting & Server Management (cPanel/DA/Virtualization Servers)

  5. #5
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    They have killed our license, so I'll leave this here:

    No

    You are a perfect example of what is wrong.

    You'd threading to publish something and spread exploring knowledge you ****ing dolt scumbag loser.

    Sent from my iPhone
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  6. #6
    Join Date
    Mar 2008
    Location
    hunterdon county NJ
    Posts
    196
    this is what is wrong with this guy with everyone who thinks they are johnny justice.

    he feels the need to do the world justice by posting damaging information if something isn't done his way in the time frame that is acceptable to him.

    fact. we acknowledged his concerns. we acknowledged we are interested in fixing the problem and we agreed to do soL

    here is his email, that he sent after we politely acknowledge the concerns and expressed interest in fixing them:
    Not good enough.
    We have given you ample time to push out a fix, as per our policy for companies who do not take security serious.. in 24 hours we will release working POC to the community.
    you do not have a "right" to use our software. we agree to do business with you. you have crossed the boundary between who want do business with and who we do not do business with.

    if you post the exploit you will, without a doubt find yourself nj court over a for lawsuit for damanges. you are in fact already damaging my business by what you are doing. i am warning you. i am not playing games with you. if you think that i am. TEST ME.

    that being said...we will still be fixing the software. our way. the correct way, and in a proper fashion and it will be pushed out...when it is ready...not when you say it needs to be done by.

    kevin
    <<Please see rules for signature setup.>>

  7. #7
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072
    The clock is counting down... a little less rambling on here and a little more fixing your software eh?

    You had TWO WEEKS to fix a serious security flaw. I am sorry, but you will find very little sympathy here. The fact that you haven't even started working on a patch speaks volume even more so that you want to threaten us in court.

    Edit:

    Just so we are clear. We're not scared of you or your lawyers.

  8. #8
    Join Date
    May 2008
    Location
    Citrus Heights, CA
    Posts
    1,887
    Kevin, you had two ****ing weeks. How about you quit whining and just fix your **** already.
    iWebFusion.Net - Shared / Reseller / VPS / Bare Metal / Colocation / IP Transit / Networking
    *Simply Hosting - Wholly owned networks, in-house staff, legions of fans!

  9. #9
    Join Date
    Jan 2008
    Location
    Portugal
    Posts
    1,021
    Quote Originally Posted by hostydotnet View Post
    this is what is wrong with this guy with everyone who thinks they are johnny justice.

    he feels the need to do the world justice by posting damaging information if something isn't done his way in the time frame that is acceptable to him.

    fact. we acknowledged his concerns. we acknowledged we are interested in fixing the problem and we agreed to do soL

    here is his email, that he sent after we politely acknowledge the concerns and expressed interest in fixing them:


    you do not have a "right" to use our software. we agree to do business with you. you have crossed the boundary between who want do business with and who we do not do business with.

    if you post the exploit you will, without a doubt find yourself nj court over a for lawsuit for damanges. you are in fact already damaging my business by what you are doing. i am warning you. i am not playing games with you. if you think that i am. TEST ME.

    that being said...we will still be fixing the software. our way. the correct way, and in a proper fashion and it will be pushed out...when it is ready...not when you say it needs to be done by.

    kevin
    I'm sorry, Kevin, I am failing to understand the following... So, you had 2 weeks to fix a really critical security flaw, and are now threating someone who found the flaw for free, instead of fixing it? Are you on holidays?

    Such response makes me lose all respect I had for you.
    Senior System Administrator / DevOp - LinkedIn / MailChannels Director of Sales, Europe
    MyW - Shared/Reseller Hosting & Server Management (cPanel/DA/Virtualization Servers)

  10. #10
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072
    Before anyone thinks we are being reckless with security by posting a POC after 24 hours, take a look at this:

    http://googleonlinesecurity.blogspot...abilities.html

    Zamfoo has had two weeks from when they were notified! Two weeks!

  11. #11
    Join Date
    Mar 2008
    Location
    hunterdon county NJ
    Posts
    196
    No offense, but not everything is as simple as this guy seems to be making it sound.

    He does not know our circumstances, as much as he would pretend to.

    kevin
    <<Please see rules for signature setup.>>

  12. #12
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072
    Quote Originally Posted by hostydotnet View Post
    No offense, but not everything is as simple as this guy seems to be making it sound.

    He does not know our circumstances, as much as he would pretend to.

    kevin
    How much time do you need to issue a patch? Give us an exact ETA please. Lots of people use Zamfoo, we are willing to extend our deadline for their sake - not for you.

  13. #13
    Join Date
    Mar 2010
    Posts
    4,533
    Quote Originally Posted by Steven View Post
    They have killed our license, so I'll leave this here:
    If you need a new license to test for vulnerabilities there are plenty of members on this forum that would exchange the funds with you and buy the license on your behalf. Not like they would know anyways tbh. There are zamfoo resellers too but I believe you need to stay on the resellers network.


    Quote Originally Posted by hostydotnet View Post
    this is what is wrong with this guy with everyone who thinks they are johnny justice.

    he feels the need to do the world justice by posting damaging information if something isn't done his way in the time frame that is acceptable to him.

    fact. we acknowledged his concerns. we acknowledged we are interested in fixing the problem and we agreed to do soL

    here is his email, that he sent after we politely acknowledge the concerns and expressed interest in fixing them:


    you do not have a "right" to use our software. we agree to do business with you. you have crossed the boundary between who want do business with and who we do not do business with.

    if you post the exploit you will, without a doubt find yourself nj court over a for lawsuit for damanges. you are in fact already damaging my business by what you are doing. i am warning you. i am not playing games with you. if you think that i am. TEST ME.

    that being said...we will still be fixing the software. our way. the correct way, and in a proper fashion and it will be pushed out...when it is ready...not when you say it needs to be done by.

    kevin
    While I don't necessarily agree with posting the exploit (Not at all honestly but it seems to work). If you didn't come off like you had a major attitude to people finding exploits for your software, I'm sure this thread wouldn't have even been started the same way it is currently.

    Have you at any point explained why it wasn't an immediate patch? If you did clearly then sure I agree with you. But since you haven't bothered to explain yourself on this thread and just have sent legal threats, it doesn't seem like you were thorough enough with customers.
    Last edited by techjr; 06-13-2013 at 03:28 PM.

  14. #14
    Join Date
    Mar 2008
    Location
    hunterdon county NJ
    Posts
    196
    Quote Originally Posted by Patrick View Post
    Before anyone thinks we are being reckless with security by posting a POC after 24 hours, take a look at this:

    http://googleonlinesecurity.blogspot...abilities.html

    Zamfoo has had two weeks from when they were notified! Two weeks!
    if you were a respectable member of the hosting community you would never disclose an open attack if the vendor agrees and is willing to fix it. period.

    it speaks volumes about the type of person you are.

    i don't really care if you are scared or not. i wasn't making an air out backless threat. if you do release what you sent us, you will definitely find yourself with a legal problem.

    kevin
    <<Please see rules for signature setup.>>

  15. #15
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072
    I should mention, if you issue a patch then we won't issue the POC. All we want is for you to fix the security flaws and give it the utmost concern which I don't believe you have done. It's that simple. The flaw isn't even that complicated! You should be able to patch it within an hour, seriously.

  16. #16
    Join Date
    Mar 2008
    Location
    hunterdon county NJ
    Posts
    196
    Quote Originally Posted by techjr View Post
    If you need a new license to test for vulnerabilities there are plenty of members on this forum that would exchange the funds with you and buy the license on your behalf. Not like they would know anyways tbh. There are zamfoo resellers too but I believe you need to stay on the resellers network.

    While I don't necessarily agree with posting the exploit (Not at all honestly but it seems to work). If you didn't come off like you had a stick stuck somewhere dark I'm sure this thread wouldn't have even been started the same way it is currently.

    Have you at any point explained why it wasn't an immediate patch? If you did clearly then sure I agree with you. But since you haven't bothered to explain yourself on this thread and just have sent legal threats, it doesn't seem like you were thorough enough with customers.
    No. And i don't feel i need to explain. It is really irrelevant why it has not come out yet. The fact is that we acknowledge it...and are in fact working on it, but it is not ready yet.

    the stick you refer to came from the guy. he is getting the same level of respect he has given.

    kevin
    <<Please see rules for signature setup.>>

  17. #17
    Join Date
    Mar 2008
    Location
    hunterdon county NJ
    Posts
    196
    Quote Originally Posted by Patrick View Post
    How much time do you need to issue a patch? Give us an exact ETA please. Lots of people use Zamfoo, we are willing to extend our deadline for their sake - not for you.
    you keep saying we. you are no longer included in we. your license key has been revoked.

    now you have no personal agenda to obtaining the fix. you can only do harm by releasing it, and cause punitive damages.

    not only that. there is an emergency kill switch. if you release the patch i will pull the switch and no one can use the software. your exploit will not work if i do that. the plugin will become useless until i turn it back on.

    kevin
    <<Please see rules for signature setup.>>

  18. #18
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072
    Quote Originally Posted by hostydotnet View Post
    the stick you refer to came from the guy. he is getting the same level of respect he has given.
    Kevin,

    C'mon! I sent you two emails over two weeks and they were all polite were they not? My third email to you today was also polite. You have to acknowledge the seriousness of these security flaws and you haven't done that in two weeks.

    Let's imagine that someone malicious found the flaws and posted them to Full Disclosure. Would you still take two weeks to start working on a patch? We are here to help! We're not your enemy but you have to work with us and taking two weeks for a simple fix is the polar opposite.

  19. #19
    Join Date
    Mar 2008
    Location
    hunterdon county NJ
    Posts
    196
    Quote Originally Posted by Patrick View Post
    Kevin,

    C'mon! I sent you two emails over two weeks and they were all polite were they not? My third email to you today was also polite. You have to acknowledge the seriousness of these security flaws and you haven't done that in two weeks.

    Let's imagine that someone malicious found the flaws and posted them to Full Disclosure. Would you still take two weeks to start working on a patch? We are here to help! We're not your enemy but you have to work with us and taking two weeks for a simple fix is the polar opposite.
    I did acknowledge it and we are fixing it. And not to be a douche about it but there was a death in the family if you must FREAKING know....some of the reasons why its taking a little while.

    I have said everything that I am willing to say about the problem and what could potentially come out of your deadline.

    I am not even going to humor this thread any longer. You have stated your intentions, I have stated what i will do if you do what you said you will, and there really isn't much to talk about until

    1) the patch comes out

    or

    2) you release what you sent me.

    Look in the mirror.....if you want me to acknowledge something....then you should acknowledge that what you plan to do will not help anyone, not even in the slightest.

    Kevin
    <<Please see rules for signature setup.>>

  20. #20

    Re: Zamfoo Critical Security Vulnerabilities - They Don't Seem To Care...

    Someone reminds me of an ostrich sticking out its ass and hiding its big head underground, trying to ignore everything that's outside.

  21. #21
    Join Date
    Jan 2008
    Location
    Portugal
    Posts
    1,021
    Quote Originally Posted by hostydotnet View Post
    if you were a respectable member of the hosting community you would never disclose an open attack if the vendor agrees and is willing to fix it. period.

    it speaks volumes about the type of person you are.

    i don't really care if you are scared or not. i wasn't making an air out backless threat. if you do release what you sent us, you will definitely find yourself with a legal problem.

    kevin
    Patrick is a respectable member of the hosting community.

    Those folks are trying to help you, even willing to extend the POC but stills, you seem to not care.

    And damn, the "swich" thing looks funny.
    Senior System Administrator / DevOp - LinkedIn / MailChannels Director of Sales, Europe
    MyW - Shared/Reseller Hosting & Server Management (cPanel/DA/Virtualization Servers)

  22. #22
    Join Date
    Feb 2013
    Posts
    353
    Im not quite sure what posting the vulnerability to the world is going to do but make things worse for people using the software, Fair play for finding an issue and they should be doing something about it agreed, but posting and telling people how they can get into other peoples servers is a bit poor. I don't quite get the whole you have 24hrs thing either to be honest - and no im nothing to do with the script just a reader, comes across a bit childish to me.

  23. #23
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072
    Quote Originally Posted by NorthHosts View Post
    Im not quite sure what posting the vulnerability to the world is going to do but make things worse for people using the software, Fair play for finding an issue and they should be doing something about it agreed, but posting and telling people how they can get into other peoples servers is a bit poor. I don't quite get the whole you have 24hrs thing either to be honest - and no im nothing to do with the script just a reader, comes across a bit childish to me.
    We are extremely responsible security researchers. Out of approximately 50 security flaws with about 25-30 different vendors only a few dragged their feet.

    The reason that we take to WHT and threaten to post a Proof of Concept is to bring attention to the security flaw. For years we sat by idle waiting on companies to issue patches, in some cases it took them years! All the while serious security flaws sat there and if we can find them, surely others can as well.

    By posting the proof of concept here, after all of our options have been exhausted and we have reasonable belief that the company isn't going to fix it soon... we give them a reason to fix it because their customers will demand it. We should never have to take this approach! Believe me, I hate when we make these threads but it was the company who led us down this path.

    Take for example, cPanel. We called them out a few times on here and finally the CEO got involved and made things right with us. I can't go into the specifics, but I can assure you that it would never have happened had we not came here. At the end of the day, anything we do is for the greater good of the hosting community.

    I reached out to Kevin via PM to try and resolve this to everyone's satisfaction.

  24. #24
    Join Date
    Dec 2010
    Location
    127.0.0.1
    Posts
    5,732
    Well thanks Patrick and Steven, I know where I'm not ever getting a license from again... There's better software who gives a dam about security.

  25. #25
    Join Date
    Dec 2007
    Location
    Indiana, USA
    Posts
    19,196
    Quote Originally Posted by NorthHosts View Post
    Im not quite sure what posting the vulnerability to the world is going to do but make things worse for people using the software
    There are a few things:
    1. If Patrick found it, others can/will find it.
    2. If possible [I don't know how Zamfoo's dev team works, QA, testing, etc] they should fix a root escalation exploit as quickly as possible.
    3. One should not have to threaten to release POC to get a developer to move.

    I suspect if the POC is posted, the issue will be patched within hours if not within a day. Without the POC being published - how long? Two more weeks? Two months? Next year?

    @Kevin - I think all Patrick is looking for is acknowledgement that the issue is critical and that you will prioritize the handling of that issue. If you were to even say something like, "We're going to get it fixed as quickly as possible but I suspect, due to our workflow, that it may take 3 weeks," that they would be fine waiting 3 weeks to release the POC.

    The issue here seems to be, for a third party looking in, a communication issue.

    The obvious disclaimer is that I do not use Zamfoo, I do not know/associate with Patrick or Kevin and, as such, I have no 'inside' information or access to any prior communications that are not included in this thread.
    Michael Denney - MDDHosting.com - Proudly hosting more than 37,700 websites since 2007.
    Ultra-Fast Cloud Shared and Pay-By-Use Reseller Hosting Powered by LiteSpeed!
    cPanel • Free SSL • 100% Uptime SLA • 24/7 Support
    Class-leading support that responds in minutes, not days.

Page 1 of 21 123411 ... LastLast

Similar Threads

  1. Security vulnerabilities in CS-Cart
    By leftnode in forum Ecommerce Hosting & Discussion
    Replies: 15
    Last Post: 02-25-2011, 01:53 PM
  2. MySQL Multiple Vulnerabilities - Highly Critical
    By CybexHost in forum Hosting Security and Technology
    Replies: 0
    Last Post: 07-26-2005, 10:12 AM
  3. Mozilla Firefox Two Vulnerabilities (Extremely critical)
    By case in forum Web Hosting Lounge
    Replies: 8
    Last Post: 05-09-2005, 06:31 PM
  4. CPanel security vulnerabilities
    By host4good in forum Hosting Security and Technology
    Replies: 7
    Last Post: 03-03-2005, 05:05 PM
  5. Php security vulnerabilities
    By nickvd in forum Programming Discussion
    Replies: 0
    Last Post: 12-17-2004, 07:30 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •