MPA3 compromised ?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • commonsense
    So Fucking Banned
    • Feb 2007
    • 1790

    #1

    MPA3 compromised ?

    Posted: 04/30/2008
    LOS ANGELES - A routine audit of source code for MPA3 found a "mySQL injection," but the company said the matter has already been resolved.

    Oystein Wright, CEO of Mansion Productions, the parent company of MPA3, said the injection meant someone could have added strings to the variables MPA3 uses and extracted some information from the database.

    The company that conducted the audit notified officials from MPA3 about the issue Monday, and MPA3 officials checked and verified the issue, Wright said.

    "We prepared a fix and started updating clients' programs right away," he said.

    Clients were notified of the security issue findings and the implemented fix via email, Wright said, adding that, "To date, no information has been lost or compromised that we know of."

    "We did get feedback from a few clients asking if their programs had been fixed, and they were all happy to hear that they were," he said. "I have yet to get a single complaint, and I believe it is because we made the necessary changes to secure their programs as soon as we found out about it."


    Link to full story
  • GrouchyAdmin
    Now choke yourself!
    • Apr 2006
    • 12085

    #2
    That's an oops.

    Comment

    • StuartD
      Sofa King Band
      • Jul 2002
      • 29903

      #3
      Yeah, they "fixed" it by telling programs to restrict IP's to the admin section.
      There are ways around that as well. What all else has been fixed since then, I don't know.

      The entire exploit has been posted on a bunch of places around the net. So fixing it as soon as they were informed about it likely didn't avoid much damage since it could have been around for some time before that.

      I wonder if minuseonebit will/would go after them with the same vigor he did for NATS.
      This is me on facebook
      This is me on twitter

      Comment

      • YellowPages
        Shooter Pinks
        • Mar 2008
        • 150

        #4
        Anything plugged in to fiber is vulnerable.

        Coding core using safe practices is the best safeguard against PHP and MySql injections, but that doesn't just secure anything and everything.

        The important part is recognizing and correcting and weak points in potentially vulnerable scripts.

        People try to inject my scripts all the time, it's a fact out here.

        The best thing I can do to protect myself is to use safe coding practices instead of shortcuts, and to buy safe coded commercial scripts and even check them myself if there's any doubt as to their security.

        If Oystein is fixing it/has fixed it, then great.

        It's still vulnerable. It's plugged in.
        So is my bank.

        My bank had good software, so does Oystein.

        YP

        Comment

        • Jens Van Assterdam
          The Dupre Pimp
          • Feb 2008
          • 6677

          #5
          and you guys still wonder where all the passwords in password forums come from..?
          Read TOS for signature rules

          Comment

          • mrkris
            Confirmed User
            • May 2005
            • 2737

            #6
            It happens. The best of developers can screw up. All it takes is a long day of coding or lack of sleep to accidentally skip over sanitizing user submitted data.

            Atleast he had it fixed (in some form)

            PHP-MySQL-Rails | ICQ: 342500546

            Comment

            • Nookster
              Confirmed IT Professional
              • Nov 2005
              • 3744

              #7
              One of the easiest flaws to deal with yet thousands of developers (or I should say amateurs, rather) continue to not protect their sql scripts. I find it simply amazing.
              The Best Affiliate Software, Ever.

              Comment

              • NETbilling
                Confirmed User
                • Jan 2002
                • 8598

                #8
                MPA is solid and they are very proactive.

                Mitch


                Mitch Farber
                CEO - NETbilling, Inc.
                Email / Phone: 888-357-8166 / 661-252-2456
                Transaction processing & 24/7 call center services with exceptional rates and flexibility, since 1998!

                Comment

                Working...