Web Hosting Talk : Web Hosting Main Forums : Hosting Software and Control Panels : Again about security hole in CP!

[bigAl]

Hi again, guys… why did you delete my last thread? Do you afraid of something?

I will repeat:
There’s a great (BIG) security hole in VDI’s CP3! You can get any file from any server running CP3.
More than that! I can get a root access on ANY server running CP3! (But this host must provide a demo access to CP).

I can tell the VDI’s support about the hole, and about how to use it, but it will cost some $$$. Or i can hack a server... if you whant... $$$ - and server's yours.
As a demo, I can create a new user with ssh access on any server running CP.

Mail me, guys… or use the ICQ (profile) to contact me.

PS: To ask 250 per month, first think about the security… guys…

[Starhost]

HHahhahaha, you are so fun! Why should we pay ya? Are you that poor. And if there were a real security hole, there would already be some servers hacked.

And when there are servers hacked with the cp, we now who did it you fool.

[bigAl]

you won't know who did that

to others: if you own a hosting company, and whant to hack another hosting company (i bet you could gues what for) just mail me

[cperciva]

Quote:

Originally posted by bigAl
to others: if you own a hosting company, and whant to hack another hosting company (i bet you could gues what for) just mail me

Mods, do you want to ban this guy? Call me old fashioned, but advertising felonous services here seems a bit rediculous, even if it is probably done in jest.

[bigAl]

he scared?

I'm serious! There's a big hole. And you, guys should try to fix it. And you are trying to ban the man who CAN and WILL help you. cperciva, we should work together i think. You, as a service provider, MUST be interested! I can work for you to fix this hole! Try to understand - i'm NOT your opponent.

I can repeat:
When you what to get 250 per month - spent 2500 for the security.

[kunal]

bigAl is right.. there is a hole.. and they are working on a fix for it..

[Starhost]

Alright Bigal, then hack the server where vdi's server is running on. You said you can do it, so prove it, I'll bet you can't lame poor fellow

[bigAl]

Quote:

Originally posted by Starhost
You said you can do it, so prove it, I'll bet you can't lame poor fellow

I'll make a deface - i'll tell you when it will be ready.

[bigAl]

NOW,

i edited some page... be serious! thre's a hole!

site: http://canyonrimmall.com/
hosting: http://jaguarpc.com
demo: http://jaguarpc.com/demo.php

View the cource of the http://canyonrimmall.com/ page. There's a comment at the end of the page.

"<!--Test this page. Merlin. -->"

I tried not to do harm to anybody...

Now try this:
http://canyonrimmall.com/*****.cgi
No password heh?

Do you belive me now?


2 VDI:
Will we work together?

[bigAl]

And what about that?

http://canyonrimmall.com/Web_Services/

[William]

What you have attempted to hack was a "Domain owner" issue.

They need to adjust thier own permmsions correctly.

[Chicken]

Quote:

Originally posted by bigAl
View the cource of the http://canyonrimmall.com/ page. There's a comment at the end of the page.

"<!--Test this page. Merlin. -->"

I tried not to do harm to anybody...

Now try this:
http://canyonrimmall.com/cgi-bin/admin/admin.cgi
No password heh?

Don't see that Merlin thing. The other is a cgi script that doesn't have a .htaccess file in the admin panel (not brilliant but not cracked). If I took the .htaccess file out of my phpmyadmin dir, you'd be able to access that too, but you can't since I have it in. I don't get what this is about.

[bigAl]

Quote:

Originally posted by William
What you have attempted to hack was a "Domain owner" issue.

They need to adjust thier own permmsions correctly.

i used a hole in cp.
It doesn't metter weather user sets the permisssins correctly - because i've edited the file, using USERS's access permissions! And user MUST be able to edit his own files. About LINKS script... it uses .htaccess file.

[bigAl]

Quote:

Originally posted by Chicken

Don't see that Merlin thing. The other is a cgi script that doesn't have a .htaccess file in the admin panel (not brilliant but not cracked). If I took the .htaccess file out of my phpmyadmin dir, you'd be able to access that too, but you can't since I have it in. I don't get what this is about.

OH! Sorry, i have made a rebuil from the LINKS admin's panel when adden a new link (http://canyonrimmall.com/Web_Services/).

LINKS script:
there WAS .htaccess file and there ISn't sucn file there now.

I will add the comment again.

[bigAl]

done.
the comment was added again.

2 VDI:
what do U think of it?