possible NATS exploit?
Collapse
X
-
Tags: None
-
-
-
-
-
Do you have any more inside knowledge than the rest of us ?Originally posted by IceMasterAnyway its getting popular so everybody will start finding bugs for it soon.Comment
-
oh well, seems hackers are everywhereOriginally posted by IceMasterNo, but happens with everything... phpbb... vbulletin... windows...Comment
-
-
-
NATS isn't open source.. security through obscurity.Originally posted by IceMasterNo, but happens with everything... phpbb... vbulletin... windows...
There are Zend decoders now, though.254342256Comment
-
What has Zend to do with this ?Originally posted by studiocriticNATS isn't open source.. security through obscurity.
There are Zend decoders now, though.Comment
-
ok, so it seems only some programs are having problems. Could this be related to a certain version or is it may be a mysql problem ?Originally posted by tenderobjectsome nats programs are okComment
-
Has any of them exposed already ?Originally posted by Pimpin_JJust a matter of time i think.. all adult-cms had/have bugs..
mpa,sitdepth and so on
Comment
-
There wasnt a public advisory as far as i know but i said it here allready http://www.gofuckyourself.com/showthread.php?t=629368Comment
-
-
This is not a NATS bug, its neither a NATS exploit.
People that do not understand errors should not throw around words like "exploit"... what other programs do not work right now? I only know of this one problem with panchodog.
The error with panchodog is a mysql problem, not a NATS problem. Just because NATS is so nice and actually produces intelligent error displays for the client does not mean its a damn NATS problem or exploit!"Think about it a little more and you'll agree with me, because you're smart and I'm right."
- Charlie MungerComment
-
This is what I was thinking also. lol This whole thread is da silly. Dumbest thread of the day?Originally posted by NathanThis is not a NATS bug, its neither a NATS exploit.
People that do not understand errors should not throw around words like "exploit"... what other programs do not work right now? I only know of this one problem with panchodog.
The error with panchodog is a mysql problem, not a NATS problem. Just because NATS is so nice and actually produces intelligent error displays for the client does not mean its a damn NATS problem or exploit!Comment
-
http://affiliates.panchodog.com/signup.php?nats=Originally posted by NathanJust because NATS is so nice and actually produces intelligent error displays for the client does not mean its a damn NATS problem or exploit!
I wouldn't consider this an intelligent errorNATS has found a problem
DB Error: Can't open file: 'accounts.MYI'. (errno: 145)
/usr/home/natsinstall/nats/includes/database.php:430Comment
-
Originally posted by darksoul
Lol.. ok, if ya say so...
What would be intelligent?
"Sorry, but there is a problem, please come back later."???
So the client has to sit there and figure out for hours what the issue actually is?
The page tells you EXACTLY what the problem is, thats the whole point of an error. Just because YOU do not understand it does not mean its not a correct error."Think about it a little more and you'll agree with me, because you're smart and I'm right."
- Charlie MungerComment
-
Originally posted by NathanLol.. ok, if ya say so...
What would be intelligent?
"Sorry, but there is a problem, please come back later."???
So the client has to sit there and figure out for hours what the issue actually is?
The page tells you EXACTLY what the problem is, thats the whole point of an error. Just because YOU do not understand it does not mean its not a correct error.
haha
listen, now you got me mad,
you're a fucking idiot, I know better than you what that means
You shouldn't disclose informations to the public moron
A message like
"A mysql error was found" would've been more intelligent
than telling all the world where nats is installed so it can be abused
when a bug is found.
That shit is called "path disclosure" look it up genius.
Also, You don't have to display errors on the site for YOUR customer to
see it. Those can be logged separately.Comment
-
Your error just told me:
the panchodog server is running freebsd
theres a table called accounts in nats
nats is installed in /usr/home/natsinstall
panchodog is running version 3.0.29
- this appear to be wrappers around pear functions.3. nats_error_handler(256, DB Error: Can't open file: 'accounts.MYI'. (errno: 145), /usr/home/natsinstall/nats/includes/database.php, 430, Array) in :
2. trigger_error(DB Error: Can't open file: 'accounts.MYI'. (errno: 145), 256) in /usr/home/natsinstall/nats/includes/database.php:430
1. nats_db_fetch_assoc() in /usr/home/natsinstall/nats/www/signup.php:45
DO YOU REALLY NEED TO GIVE THAT INFO TO THE PUBLIC
YOU are so fucking intelligent and so are your errorsComment
-
Sorry I made you mad, lol...
oppinions, oppinions.. everyone and their mother has one...
We create the errors in this way so the clients notice them, we know our clients... The location disclosure of NATS itself is also no problem because in now-a-days exploits the path can be retreived anyway, its not so hard ya know, people that use exploits will find it fast anyway (in case they even NEED it, which is not even the case)... There is a reason why not even apache has a problem with disclosing full paths to websites, nor does PHP on standard php errors...
We tried many different error displays in the past, we also had it turned off totally for some time and only did logging, we had too many clients get problems because of it and this way simply fixes things faster (98% of the time)...
The errors do not disclose information that could not be retreived in many other ways if you want to exploit someone..."Think about it a little more and you'll agree with me, because you're smart and I'm right."
- Charlie MungerComment
-
LOL... you threatening me somehow or what? Chill man, its just an error.. and we have reasons for a backtrace, I'm so sorry that you disagree with how we do things.... live with it...Originally posted by darksoulI advice you to not fucking reply to this thread anymore!"Think about it a little more and you'll agree with me, because you're smart and I'm right."
- Charlie MungerComment
-
Originally posted by darksoulYour error just told me:
the panchodog server is running freebsd
theres a table called accounts in nats
nats is installed in /usr/home/natsinstall
panchodog is running version 3.0.29
3. nats_error_handler(256, DB Error: Can't open file: 'accounts.MYI'. (errno: 145), /usr/home/natsinstall/nats/includes/database.php, 430, Array) in :
2. trigger_error(DB Error: Can't open file: 'accounts.MYI'. (errno: 145), 256) in /usr/home/natsinstall/nats/includes/database.php:430
1. nats_db_fetch_assoc() in /usr/home/natsinstall/nats/www/signup.php:45
Dude, that's not exactly difficult to figure out, even without an error message.Comment
-
I see you ignored my advice.
You just called your clients idiots, good job! You probably know that for a fact cause they chose you!Originally posted by NathanWe create the errors in this way so the clients notice them, we know our clients...
dude, look at all the data I fetched from a simple errorThe location disclosure of NATS itself is also no problem because in now-a-days exploits the path can be retreived anyway, its not so hard ya know, people that use exploits will find it fast anyway (in case they even NEED it, which is not even the case)... There is a reason why not even apache has a problem with disclosing full paths to websites, nor does PHP on standard php errors...
We tried many different error displays in the past, we also had it turned off totally for some time and only did logging, we had too many clients get problems because of it and this way simply fixes things faster (98% of the time)...
The errors do not disclose information that could not be retreived in many other ways if you want to exploit someone...
I don't want to think how much shit can be fetched from your script.
You are supposed to take security seriously and not this fuck it attitude.
Just because it can happen in other ways doesn't mean your script has
to allow it.Comment
-
and you'd know how ?Originally posted by jimthefiendDude, that's not exactly difficult to figure out, even without an error message.
I'll give you one day to show me that data without using nats.
if not you'll have to build 100 galleries for epictrashComment
-
the advice was so that you don't get me even more mad and show more about what pos your script is.Originally posted by NathanLOL... you threatening me somehow or what? Chill man, its just an error.. and we have reasons for a backtrace, I'm so sorry that you disagree with how we do things.... live with it...Comment
-
I did not call our clients idiots, far from it.. all I said is that we know our clients well, and we know what they want and ask from us ;)
The errors are created like this for a reason, I told you that plenty of times, if you do not understand or agree, thats not my problem, its yours...
The information disclosed in no way is a problem, it only helps us and the client, and thats what it is there for...
BTW, I just looked at axscripts.com, a friendly advice... you might want to reconsider posting here..."Think about it a little more and you'll agree with me, because you're smart and I'm right."
- Charlie MungerComment
-
Again, sorry that I made you mad... kinda sad how easy it is to get you mad though...Originally posted by darksoulthe advice was so that you don't get me even more mad and show more about what pos your script is.
And hey, if you know of bugs in NATS (guessing that is what you mean by "what pos your script is"), please do tell! I'd love to know them so we can fix them (in case we have not already in our latest version)"Think about it a little more and you'll agree with me, because you're smart and I'm right."
- Charlie MungerComment
-
Originally posted by darksouland you'd know how ?
I'll give you one day to show me that data without using nats.
if not you'll have to build 100 galleries for epictrash
Because I have a working knowledge of php and sql. Considering what you do, I'm shocked as hell you're making such a big deal out of this. Every fucking script I know of displays at least SOME path info in error messages when there are DB issues. There are also 50 million ways to find that info out even without an error.
Your motivations in this are more than a little suspect.
You don't dictate ANYTHING to me, btw.Comment
-
random bump
BigCocks.com -
MatureWomen.com -
Tranny.com -
DrunkGirls.com -
TeenGirls.com -
MonsterCock.com and
many more... Click
here to see them all!Comment
-
PS, on that lame little support forum for that shitty little trade script you have, there are several posts discussing errors of a similiar nature, AND displaying similiar information. IE. paths, etc.
Does that mean that POS you spam has an exploit?
LMA0Comment
-
Fact is I prepared a bunch of servers for nats and I know how clueless you areOriginally posted by NathanAgain, sorry that I made you mad... kinda sad how easy it is to get you mad though...
about servers and when you tell me I dont understand a mysql error yea it gets me mad
you are so cocky!(in case we have not already in our latest version)
but thanks, I've wasted enough time on it.Comment
-
Dude! I didn't said no script has them.Originally posted by jimthefiendBecause I have a working knowledge of php and sql. Considering what you do, I'm shocked as hell you're making such a big deal out of this. Every fucking script I know of displays at least SOME path info in error messages when there are DB issues. There are also 50 million ways to find that info out even without an error.
Your motivations in this are more than a little suspect.
You don't dictate ANYTHING to me, btw.
It just give too much information and I don't call that an "intelligent error"Comment
-
yup, it has a shit load of bugs.Originally posted by jimthefiendPS, on that lame little support forum for that shitty little trade script you have, there are several posts discussing errors of a similiar nature, AND displaying similiar information. IE. paths, etc.
Does that mean that POS you spam has an exploit?
LMA0
I coded it in two hours but it wont give away any substantial info if lets say it would be hacked.
Can nats say the same if someone hack them ?Last edited by darksoul; 07-08-2006, 05:40 AM.Comment
-
LOL, you are funny... I'm curious how _I_ am "clueless" about servers.. not sure how you base this on the fact that you prepared servers for nats before, but thats ok... I'd like to know what you think makes us (as in Too Much Media, yes, this is not a one-man-show, we actually have an office and employees and such) "clueless" about servers... I'm seriously interested in that btw, I like to learn...Originally posted by darksoulFact is I prepared a bunch of servers for nats and I know how clueless you are
about servers and when you tell me I dont understand a mysql error yea it gets me mad
you are so cocky!
but thanks, I've wasted enough time on it.
and I'm not cocky, I'm just good at what I do.. well.. and I'm german, so my english might not be perfect..."Think about it a little more and you'll agree with me, because you're smart and I'm right."
- Charlie MungerComment
-
Originally posted by darksoulDude! I didn't said no script has them.
It just give too much information and I don't call that an "intelligent error"
Dude, seriously. How is it NOT intelligent?
NATS has found a problem
DB Error: Can't open file: 'accounts.MYI'. (errno: 145)
/usr/home/natsinstall/nats/includes/database.php:430
That gives you the db name, error code, file thats making the call and on what LINE of code the call is being made from.
I just don't get you. lol
I don't see how that could be more clear.Comment
-
Dude, you give away quite a bit of substantial info, its called SOURCE CODE and its available for the whole damn script of yours...Originally posted by darksoulyup, it has a shit load of bugs.
I coded it in two hours but it wont give away any substantial info if lets say it would be hacked.
Can nats say the same if someone hack them ?"Think about it a little more and you'll agree with me, because you're smart and I'm right."
- Charlie MungerComment
-
Originally posted by NathanLOL, you are funny... I'm curious how _I_ am "clueless" about servers.. not sure how you base this on the fact that you prepared servers for nats before, but thats ok... I'd like to know what you think makes us (as in Too Much Media, yes, this is not a one-man-show, we actually have an office and employees and such) "clueless" about servers... I'm seriously interested in that btw, I like to learn...
and I'm not cocky, I'm just good at what I do.. well.. and I'm german, so my english might not be perfect...
If you are so good at what you do , do you know how "least privileges" principle
works ?
And if yes, why don't you apply it ?
Why nats gives access to the entire database to the user thats supposed
to fetch only user and passwords ?
(and I have nothing with too much media, this is between you and me cause you started the shit not your company)Comment
-
its called open source, lolOriginally posted by NathanDude, you give away quite a bit of substantial info, its called SOURCE CODE and its available for the whole damn script of yours...
I dont need to hide my code behind encodersComment
-
Yeah, I do.. emm.. and we do not dictate what our clients use in terms of database privileges.. btw, if you think "least privileges" principle is so great, WHY THE FUCK do you tell your axscripts clients to set fucking templates and templates_c to mode 777?!? how is that LEAST PRIVILEGES?!Originally posted by darksoulIf you are so good at what you do , do you know how "least privileges" principle
works ?
And if yes, why don't you apply it ?
Why nats gives access to the entire database to the user thats supposed
to fetch only user and passwords ?
(and I have nothing with too much media, this is between you and me cause you started the shit not your company)
Seriously, people in a glass house should not throw with stones, you are looking stupid here.
Also, NATS has no single user that only fetches user and password... if you mean SPARTA setups with NATS, we actually tell our clients specifically which tables we need select and which we need update/insert privileges on..."Think about it a little more and you'll agree with me, because you're smart and I'm right."
- Charlie MungerComment


Comment