hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Software and Control Panels : [FEATURED] Zamfoo Critical Security Vulnerabilities - They Don't Seem To Care...
Reply

Forum Jump

Zamfoo Critical Security Vulnerabilities - They Don't Seem To Care...

Reply Post New Thread In Hosting Software and Control Panels Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 06-13-2013, 02:14 PM
Patrick Patrick is offline
Security Ninja
 
Join Date: Mar 2003
Location: Canada
Posts: 8,607

Zamfoo Critical Security Vulnerabilities - They Don't Seem To Care...


We reported two critical security vulnerabilities to Zamfoo approximately two weeks ago and they have not yet issued a patch and/or appear to even be working on it! I bumped them today looking for an update to which they replied:

Quote:
Not at this time. They are in queue to be worked on.
To put the two security flaws into perspective, anyone running Zamfoo right is at risk of having their servers rooted in literally a matter of seconds. The notion that Zamfoo isn't taking these security flaws serious is insulting to the community and therefor, per our internal policy, we will be issuing a working proof of concept within 24 hours from now that will allow anyone to gain root access.

Pardon the caps, the bold and the red, but I need to make this very clear to everyone running Zamfoo because you are going to be at an insane risk come tomorrow:

UNINSTALL THE SOFTWARE RIGHT NOW.

We cannot help companies that do not want to be helped and unfortunately in some cases, our only course of action is to release a working proof of concept in hopes of forcing them to get off their ass and do the right thing.

The clock starts now...



  #2  
Old 06-13-2013, 02:34 PM
Patrick Patrick is offline
Security Ninja
 
Join Date: Mar 2003
Location: Canada
Posts: 8,607
So the owner emails us:

Quote:
Well. No offense. We don't take kindly to threats and quite honestly, I do not know why you think you need or want to be the police.

We don't work under your timelines.

So unless you plan to not use our software ever again permanantly, get one thing straight. You publish a vulnerability your done forever. You threaten us again and your done forever.

Period.

We said we will fix it...and we will, but you are not going dictate under the circumstances by which it gets done. And when it is done, it will be done properly.

Period.

Kevin
To which we email him:

Quote:
Kevin,

We don't need your crappy software, you can keep the license.

In the last month we have found approximately 50 exploits in every control panel and pretty much every well known plugin. I can count on one hand how many developers wanted to be difficult or frankly didn't care about their customers security and I will add you to that list.

It's been over two weeks and here we are, you haven't even started work on a patch which is extremely unacceptable to your customers. You are a shining example of what is wrong with our industry and I hope you hang your head in shame for putting your customers at risk.

http://www.webhostingtalk.com/showthread.php?t=1275572

You got 24 hours. Period.

Patrick
I always find it rather amusing when companies don't care about their customers security by taking two+ weeks to start work on a patch.

  #3  
Old 06-13-2013, 02:48 PM
Steven Steven is offline
Problem Solver
 
Join Date: Mar 2003
Location: California USA
Posts: 12,917
::facedesk::

These exploits are extremely easy to do. Its foolish not to jump on and fix them.

__________________
Steven Ciaburri | Proactive Linux Server Management - Rack911.com
System Administration Extraordinaire | Follow us on twitter:@Rack911Labs
Managed Servers (AS62710), Server Management, and Security Auditing.
www.HostingSecList.com - Security notices for the hosting community.

  #4  
Old 06-13-2013, 02:48 PM
MrGeneral MrGeneral is offline
Web Hosting Master
 
Join Date: Jan 2008
Location: Portugal
Posts: 899
2 weeks to fix their own software?

You've been doing the research for free, they should pay you, not threat you.

__________________
Translator EN-PT / PT-EN | Sysadmin / Consultant / Bachelor in Marketing, Public Relationships and Publicity | Looking for a job. Contact me: mail@miguelsp.net
I currently recommend: InnoHosting.com, WebAngel.ie, XenVZ.co.uk, EDIS.at, Datashack.net, RamNode.com, Backupsy.com, tortois.es

  #5  
Old 06-13-2013, 03:01 PM
Steven Steven is offline
Problem Solver
 
Join Date: Mar 2003
Location: California USA
Posts: 12,917
They have killed our license, so I'll leave this here:

Quote:
No

You are a perfect example of what is wrong.

You'd threading to publish something and spread exploring knowledge you ****ing dolt scumbag loser.

Sent from my iPhone

__________________
Steven Ciaburri | Proactive Linux Server Management - Rack911.com
System Administration Extraordinaire | Follow us on twitter:@Rack911Labs
Managed Servers (AS62710), Server Management, and Security Auditing.
www.HostingSecList.com - Security notices for the hosting community.

  #6  
Old 06-13-2013, 03:11 PM
hostydotnet hostydotnet is offline
Junior Guru
 
Join Date: Mar 2008
Location: hunterdon county NJ
Posts: 196
this is what is wrong with this guy with everyone who thinks they are johnny justice.

he feels the need to do the world justice by posting damaging information if something isn't done his way in the time frame that is acceptable to him.

fact. we acknowledged his concerns. we acknowledged we are interested in fixing the problem and we agreed to do soL

here is his email, that he sent after we politely acknowledge the concerns and expressed interest in fixing them:
Quote:
Not good enough.
We have given you ample time to push out a fix, as per our policy for companies who do not take security serious.. in 24 hours we will release working POC to the community.
you do not have a "right" to use our software. we agree to do business with you. you have crossed the boundary between who want do business with and who we do not do business with.

if you post the exploit you will, without a doubt find yourself nj court over a for lawsuit for damanges. you are in fact already damaging my business by what you are doing. i am warning you. i am not playing games with you. if you think that i am. TEST ME.

that being said...we will still be fixing the software. our way. the correct way, and in a proper fashion and it will be pushed out...when it is ready...not when you say it needs to be done by.

kevin

__________________
<<Please see rules for signature setup.>>

  #7  
Old 06-13-2013, 03:16 PM
Patrick Patrick is offline
Security Ninja
 
Join Date: Mar 2003
Location: Canada
Posts: 8,607
The clock is counting down... a little less rambling on here and a little more fixing your software eh?

You had TWO WEEKS to fix a serious security flaw. I am sorry, but you will find very little sympathy here. The fact that you haven't even started working on a patch speaks volume even more so that you want to threaten us in court.

Edit:

Just so we are clear. We're not scared of you or your lawyers.

  #8  
Old 06-13-2013, 03:17 PM
Mark Muyskens Mark Muyskens is offline
Rebooting is a hack, not a fix
 
Join Date: May 2008
Location: Citrus Heights, CA
Posts: 1,638
Kevin, you had two ****ing weeks. How about you quit whining and just fix your **** already.

__________________
Best Regards,

Mark

  #9  
Old 06-13-2013, 03:18 PM
MrGeneral MrGeneral is offline
Web Hosting Master
 
Join Date: Jan 2008
Location: Portugal
Posts: 899
Quote:
Originally Posted by hostydotnet View Post
this is what is wrong with this guy with everyone who thinks they are johnny justice.

he feels the need to do the world justice by posting damaging information if something isn't done his way in the time frame that is acceptable to him.

fact. we acknowledged his concerns. we acknowledged we are interested in fixing the problem and we agreed to do soL

here is his email, that he sent after we politely acknowledge the concerns and expressed interest in fixing them:


you do not have a "right" to use our software. we agree to do business with you. you have crossed the boundary between who want do business with and who we do not do business with.

if you post the exploit you will, without a doubt find yourself nj court over a for lawsuit for damanges. you are in fact already damaging my business by what you are doing. i am warning you. i am not playing games with you. if you think that i am. TEST ME.

that being said...we will still be fixing the software. our way. the correct way, and in a proper fashion and it will be pushed out...when it is ready...not when you say it needs to be done by.

kevin
I'm sorry, Kevin, I am failing to understand the following... So, you had 2 weeks to fix a really critical security flaw, and are now threating someone who found the flaw for free, instead of fixing it? Are you on holidays?

Such response makes me lose all respect I had for you.

__________________
Translator EN-PT / PT-EN | Sysadmin / Consultant / Bachelor in Marketing, Public Relationships and Publicity | Looking for a job. Contact me: mail@miguelsp.net
I currently recommend: InnoHosting.com, WebAngel.ie, XenVZ.co.uk, EDIS.at, Datashack.net, RamNode.com, Backupsy.com, tortois.es

  #10  
Old 06-13-2013, 03:19 PM
Patrick Patrick is offline
Security Ninja
 
Join Date: Mar 2003
Location: Canada
Posts: 8,607
Before anyone thinks we are being reckless with security by posting a POC after 24 hours, take a look at this:

http://googleonlinesecurity.blogspot...abilities.html

Zamfoo has had two weeks from when they were notified! Two weeks!

  #11  
Old 06-13-2013, 03:21 PM
hostydotnet hostydotnet is offline
Junior Guru
 
Join Date: Mar 2008
Location: hunterdon county NJ
Posts: 196
No offense, but not everything is as simple as this guy seems to be making it sound.

He does not know our circumstances, as much as he would pretend to.

kevin

__________________
<<Please see rules for signature setup.>>

  #12  
Old 06-13-2013, 03:23 PM
Patrick Patrick is offline
Security Ninja
 
Join Date: Mar 2003
Location: Canada
Posts: 8,607
Quote:
Originally Posted by hostydotnet View Post
No offense, but not everything is as simple as this guy seems to be making it sound.

He does not know our circumstances, as much as he would pretend to.

kevin
How much time do you need to issue a patch? Give us an exact ETA please. Lots of people use Zamfoo, we are willing to extend our deadline for their sake - not for you.

  #13  
Old 06-13-2013, 03:24 PM
techjr techjr is offline
Web Hosting Master
 
Join Date: Mar 2010
Posts: 4,471
Quote:
Originally Posted by Steven View Post
They have killed our license, so I'll leave this here:
If you need a new license to test for vulnerabilities there are plenty of members on this forum that would exchange the funds with you and buy the license on your behalf. Not like they would know anyways tbh. There are zamfoo resellers too but I believe you need to stay on the resellers network.


Quote:
Originally Posted by hostydotnet View Post
this is what is wrong with this guy with everyone who thinks they are johnny justice.

he feels the need to do the world justice by posting damaging information if something isn't done his way in the time frame that is acceptable to him.

fact. we acknowledged his concerns. we acknowledged we are interested in fixing the problem and we agreed to do soL

here is his email, that he sent after we politely acknowledge the concerns and expressed interest in fixing them:


you do not have a "right" to use our software. we agree to do business with you. you have crossed the boundary between who want do business with and who we do not do business with.

if you post the exploit you will, without a doubt find yourself nj court over a for lawsuit for damanges. you are in fact already damaging my business by what you are doing. i am warning you. i am not playing games with you. if you think that i am. TEST ME.

that being said...we will still be fixing the software. our way. the correct way, and in a proper fashion and it will be pushed out...when it is ready...not when you say it needs to be done by.

kevin
While I don't necessarily agree with posting the exploit (Not at all honestly but it seems to work). If you didn't come off like you had a major attitude to people finding exploits for your software, I'm sure this thread wouldn't have even been started the same way it is currently.

Have you at any point explained why it wasn't an immediate patch? If you did clearly then sure I agree with you. But since you haven't bothered to explain yourself on this thread and just have sent legal threats, it doesn't seem like you were thorough enough with customers.


Last edited by techjr; 06-13-2013 at 03:28 PM.
  #14  
Old 06-13-2013, 03:26 PM
hostydotnet hostydotnet is offline
Junior Guru
 
Join Date: Mar 2008
Location: hunterdon county NJ
Posts: 196
Quote:
Originally Posted by Patrick View Post
Before anyone thinks we are being reckless with security by posting a POC after 24 hours, take a look at this:

http://googleonlinesecurity.blogspot...abilities.html

Zamfoo has had two weeks from when they were notified! Two weeks!
if you were a respectable member of the hosting community you would never disclose an open attack if the vendor agrees and is willing to fix it. period.

it speaks volumes about the type of person you are.

i don't really care if you are scared or not. i wasn't making an air out backless threat. if you do release what you sent us, you will definitely find yourself with a legal problem.

kevin

__________________
<<Please see rules for signature setup.>>

  #15  
Old 06-13-2013, 03:26 PM
Patrick Patrick is offline
Security Ninja
 
Join Date: Mar 2003
Location: Canada
Posts: 8,607
I should mention, if you issue a patch then we won't issue the POC. All we want is for you to fix the security flaws and give it the utmost concern which I don't believe you have done. It's that simple. The flaw isn't even that complicated! You should be able to patch it within an hour, seriously.

Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
Security vulnerabilities in CS-Cart leftnode Ecommerce Hosting & Discussion 15 02-25-2011 01:53 PM
MySQL Multiple Vulnerabilities - Highly Critical CybexHost Hosting Security and Technology 0 07-26-2005 10:12 AM
Mozilla Firefox Two Vulnerabilities (Extremely critical) case Web Hosting Lounge 8 05-09-2005 06:31 PM
CPanel security vulnerabilities host4good Hosting Security and Technology 7 03-03-2005 05:05 PM
Php security vulnerabilities nickvd Programming Discussion 0 12-17-2004 07:30 PM

Related posts from TheWhir.com
Title Type Date Posted
Washington Responds to Cybersecurity Threats with Recommendations and Legislation Web Hosting News 2014-02-07 13:22:48
WHMCS Releases Patch to Address Critical Security Issue Web Hosting News 2013-10-04 16:12:43
Symantec Internet Security Report Sees Evolution of Online Threats Web Hosting News 2013-04-16 09:31:38
Heroku Works with Security Researcher to Fix Password Vulnerability Web Hosting News 2013-01-10 12:51:17
Cloud Security Company BeyondTrust Acquires eEye Digital Security Web Hosting News 2012-05-10 15:31:41


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?