possible NATS exploit?

[gooddomains]

Can anyone confirm or deny this information?

http://www.gofuckyourself.com/showthread.php?t=630815

[IceMaster]

I guess that the script connects to a nats site and sponsors get it down for too many requests.

[darksoul]

lol, you're so clueless.

[themanager]

I have n o idea.

[gooddomains]

Sounds more like a more serious problem at first sight

[darksoul]

Quote:

Originally Posted by IceMaster

I guess that the script connects to a nats site and sponsors get it down for too many requests.

neh, the database on that server its fucked up.
nothing directly related to nats.

[gooddomains]

What about the other programs that also do not seem to work ?

[IceMaster]

Anyway its getting popular so everybody will start finding bugs for it soon.

[gooddomains]

Quote:

Originally Posted by IceMaster

Anyway its getting popular so everybody will start finding bugs for it soon.

Do you have any more inside knowledge than the rest of us ?

[IceMaster]

Quote:

Originally Posted by gooddomains

Do you have any more inside knowledge than the rest of us ?

No, but happens with everything... phpbb... vbulletin... windows...

[gooddomains]

Quote:

Originally Posted by IceMaster

No, but happens with everything... phpbb... vbulletin... windows...

oh well, seems hackers are everywhere

[Kimo]

is this for real?

[gooddomains]

Quote:

Originally Posted by Kimo

is this for real?

Read the other thread

[tenderobject]

some nats programs are ok

[studiocritic]

Quote:

Originally Posted by IceMaster

No, but happens with everything... phpbb... vbulletin... windows...

NATS isn't open source.. security through obscurity.

There are Zend decoders now, though.

[darksoul]

Quote:

Originally Posted by studiocritic

NATS isn't open source.. security through obscurity.

nor is vbulletin or windows

[IceMaster]

Quote:

Originally Posted by studiocritic

NATS isn't open source.. security through obscurity.

There are Zend decoders now, though.

I was talking about the posibility, i dont really know how Nats works or what they offer.

[gooddomains]

Quote:

Originally Posted by studiocritic

NATS isn't open source.. security through obscurity.

There are Zend decoders now, though.

What has Zend to do with this ?

[gooddomains]

Quote:

Originally Posted by tenderobject

some nats programs are ok

ok, so it seems only some programs are having problems. Could this be related to a certain version or is it may be a mysql problem ?

[Pimpin_J]

Just a matter of time i think.. all adult-cms had/have bugs..
mpa,sitdepth and so on

[gooddomains]

Quote:

Originally Posted by Pimpin_J

Just a matter of time i think.. all adult-cms had/have bugs..
mpa,sitdepth and so on

Has any of them exposed already ?

[Pimpin_J]

There wasnt a public advisory as far as i know but i said it here allready http://www.gofuckyourself.com/showthread.php?t=629368

[gooddomains]

Thx for the info

[Nathan]

This is not a NATS bug, its neither a NATS exploit.

People that do not understand errors should not throw around words like "exploit"... what other programs do not work right now? I only know of this one problem with panchodog.

The error with panchodog is a mysql problem, not a NATS problem. Just because NATS is so nice and actually produces intelligent error displays for the client does not mean its a damn NATS problem or exploit!

[stickyfingerz]

Quote:

Originally Posted by Nathan

This is not a NATS bug, its neither a NATS exploit.

People that do not understand errors should not throw around words like "exploit"... what other programs do not work right now? I only know of this one problem with panchodog.

The error with panchodog is a mysql problem, not a NATS problem. Just because NATS is so nice and actually produces intelligent error displays for the client does not mean its a damn NATS problem or exploit!

This is what I was thinking also. lol This whole thread is da silly. Dumbest thread of the day?

[darksoul]

Quote:

Originally Posted by Nathan

Just because NATS is so nice and actually produces intelligent error displays for the client does not mean its a damn NATS problem or exploit!

http://affiliates.panchodog.com/signup.php?nats=

Quote:

NATS has found a problem

DB Error: Can't open file: 'accounts.MYI'. (errno: 145)

/usr/home/natsinstall/nats/includes/database.php:430

I wouldn't consider this an intelligent error

[Nathan]

Quote:

Originally Posted by darksoul

http://affiliates.panchodog.com/signup.php?nats=


I wouldn't consider this an intelligent error

Lol.. ok, if ya say so...

What would be intelligent?

"Sorry, but there is a problem, please come back later."???

So the client has to sit there and figure out for hours what the issue actually is?

The page tells you EXACTLY what the problem is, thats the whole point of an error. Just because YOU do not understand it does not mean its not a correct error.

[darksoul]

Quote:

Originally Posted by Nathan

Lol.. ok, if ya say so...

What would be intelligent?

"Sorry, but there is a problem, please come back later."???

So the client has to sit there and figure out for hours what the issue actually is?

The page tells you EXACTLY what the problem is, thats the whole point of an error. Just because YOU do not understand it does not mean its not a correct error.

haha
listen, now you got me mad,
you're a fucking idiot, I know better than you what that means
You shouldn't disclose informations to the public moron
A message like
"A mysql error was found" would've been more intelligent
than telling all the world where nats is installed so it can be abused
when a bug is found.

That shit is called "path disclosure" look it up genius.

Also, You don't have to display errors on the site for YOUR customer to
see it. Those can be logged separately.

[darksoul]

Your error just told me:
the panchodog server is running freebsd
theres a table called accounts in nats
nats is installed in /usr/home/natsinstall
panchodog is running version 3.0.29

Quote:

3. nats_error_handler(256, DB Error: Can't open file: 'accounts.MYI'. (errno: 145), /usr/home/natsinstall/nats/includes/database.php, 430, Array) in :
2. trigger_error(DB Error: Can't open file: 'accounts.MYI'. (errno: 145), 256) in /usr/home/natsinstall/nats/includes/database.php:430
1. nats_db_fetch_assoc() in /usr/home/natsinstall/nats/www/signup.php:45

- this appear to be wrappers around pear functions.

DO YOU REALLY NEED TO GIVE THAT INFO TO THE PUBLIC
YOU are so fucking intelligent and so are your errors

[darksoul]

I advice you to not fucking reply to this thread anymore!

[Nathan]

Sorry I made you mad, lol...

oppinions, oppinions.. everyone and their mother has one...

We create the errors in this way so the clients notice them, we know our clients... The location disclosure of NATS itself is also no problem because in now-a-days exploits the path can be retreived anyway, its not so hard ya know, people that use exploits will find it fast anyway (in case they even NEED it, which is not even the case)... There is a reason why not even apache has a problem with disclosing full paths to websites, nor does PHP on standard php errors...

We tried many different error displays in the past, we also had it turned off totally for some time and only did logging, we had too many clients get problems because of it and this way simply fixes things faster (98% of the time)...

The errors do not disclose information that could not be retreived in many other ways if you want to exploit someone...

[Nathan]

Quote:

Originally Posted by darksoul

I advice you to not fucking reply to this thread anymore!

LOL... you threatening me somehow or what? Chill man, its just an error.. and we have reasons for a backtrace, I'm so sorry that you disagree with how we do things.... live with it...

[jimthefiend]

Quote:

Originally Posted by darksoul

Your error just told me:
the panchodog server is running freebsd
theres a table called accounts in nats
nats is installed in /usr/home/natsinstall
panchodog is running version 3.0.29
3. nats_error_handler(256, DB Error: Can't open file: 'accounts.MYI'. (errno: 145), /usr/home/natsinstall/nats/includes/database.php, 430, Array) in :
2. trigger_error(DB Error: Can't open file: 'accounts.MYI'. (errno: 145), 256) in /usr/home/natsinstall/nats/includes/database.php:430
1. nats_db_fetch_assoc() in /usr/home/natsinstall/nats/www/signup.php:45

Dude, that's not exactly difficult to figure out, even without an error message.

[darksoul]

I see you ignored my advice.

Quote:

Originally Posted by Nathan

We create the errors in this way so the clients notice them, we know our clients...

You just called your clients idiots, good job! You probably know that for a fact cause they chose you!

Quote:

The location disclosure of NATS itself is also no problem because in now-a-days exploits the path can be retreived anyway, its not so hard ya know, people that use exploits will find it fast anyway (in case they even NEED it, which is not even the case)... There is a reason why not even apache has a problem with disclosing full paths to websites, nor does PHP on standard php errors...

We tried many different error displays in the past, we also had it turned off totally for some time and only did logging, we had too many clients get problems because of it and this way simply fixes things faster (98% of the time)...

The errors do not disclose information that could not be retreived in many other ways if you want to exploit someone...

dude, look at all the data I fetched from a simple error
I don't want to think how much shit can be fetched from your script.

You are supposed to take security seriously and not this fuck it attitude.
Just because it can happen in other ways doesn't mean your script has
to allow it.

[darksoul]

Quote:

Originally Posted by jimthefiend

Dude, that's not exactly difficult to figure out, even without an error message.

and you'd know how ?
I'll give you one day to show me that data without using nats.
if not you'll have to build 100 galleries for epictrash

[darksoul]

Quote:

Originally Posted by Nathan

LOL... you threatening me somehow or what? Chill man, its just an error.. and we have reasons for a backtrace, I'm so sorry that you disagree with how we do things.... live with it...

the advice was so that you don't get me even more mad and show more about what pos your script is.

[Nathan]

I did not call our clients idiots, far from it.. all I said is that we know our clients well, and we know what they want and ask from us ;)

The errors are created like this for a reason, I told you that plenty of times, if you do not understand or agree, thats not my problem, its yours...

The information disclosed in no way is a problem, it only helps us and the client, and thats what it is there for...

BTW, I just looked at axscripts.com, a friendly advice... you might want to reconsider posting here...

[Nathan]

Quote:

Originally Posted by darksoul

the advice was so that you don't get me even more mad and show more about what pos your script is.

Again, sorry that I made you mad... kinda sad how easy it is to get you mad though...

And hey, if you know of bugs in NATS (guessing that is what you mean by "what pos your script is"), please do tell! I'd love to know them so we can fix them (in case we have not already in our latest version)

[jimthefiend]

Quote:

Originally Posted by darksoul

and you'd know how ?
I'll give you one day to show me that data without using nats.
if not you'll have to build 100 galleries for epictrash

Because I have a working knowledge of php and sql. Considering what you do, I'm shocked as hell you're making such a big deal out of this. Every fucking script I know of displays at least SOME path info in error messages when there are DB issues. There are also 50 million ways to find that info out even without an error.

Your motivations in this are more than a little suspect.

You don't dictate ANYTHING to me, btw.

[MaddCaz]

random bump

[jimthefiend]

PS, on that lame little support forum for that shitty little trade script you have, there are several posts discussing errors of a similiar nature, AND displaying similiar information. IE. paths, etc.



Does that mean that POS you spam has an exploit?

LMA0

[darksoul]

Quote:

Originally Posted by Nathan

Again, sorry that I made you mad... kinda sad how easy it is to get you mad though...

Fact is I prepared a bunch of servers for nats and I know how clueless you are
about servers and when you tell me I dont understand a mysql error yea it gets me mad

Quote:

(in case we have not already in our latest version)

you are so cocky!
but thanks, I've wasted enough time on it.

[darksoul]

Quote:

Originally Posted by jimthefiend

Because I have a working knowledge of php and sql. Considering what you do, I'm shocked as hell you're making such a big deal out of this. Every fucking script I know of displays at least SOME path info in error messages when there are DB issues. There are also 50 million ways to find that info out even without an error.

Your motivations in this are more than a little suspect.

You don't dictate ANYTHING to me, btw.

Dude! I didn't said no script has them.
It just give too much information and I don't call that an "intelligent error"

[darksoul]

Quote:

Originally Posted by jimthefiend

PS, on that lame little support forum for that shitty little trade script you have, there are several posts discussing errors of a similiar nature, AND displaying similiar information. IE. paths, etc.



Does that mean that POS you spam has an exploit?

LMA0

yup, it has a shit load of bugs.
I coded it in two hours but it wont give away any substantial info if lets say it would be hacked.
Can nats say the same if someone hack them ?

[Nathan]

Quote:

Originally Posted by darksoul

Fact is I prepared a bunch of servers for nats and I know how clueless you are
about servers and when you tell me I dont understand a mysql error yea it gets me mad



you are so cocky!
but thanks, I've wasted enough time on it.

LOL, you are funny... I'm curious how _I_ am "clueless" about servers.. not sure how you base this on the fact that you prepared servers for nats before, but thats ok... I'd like to know what you think makes us (as in Too Much Media, yes, this is not a one-man-show, we actually have an office and employees and such) "clueless" about servers... I'm seriously interested in that btw, I like to learn...

and I'm not cocky, I'm just good at what I do.. well.. and I'm german, so my english might not be perfect...

[jimthefiend]

Quote:

Originally Posted by darksoul

Dude! I didn't said no script has them.
It just give too much information and I don't call that an "intelligent error"

Dude, seriously. How is it NOT intelligent?



NATS has found a problem

DB Error: Can't open file: 'accounts.MYI'. (errno: 145)

/usr/home/natsinstall/nats/includes/database.php:430



That gives you the db name, error code, file thats making the call and on what LINE of code the call is being made from.


I just don't get you. lol

I don't see how that could be more clear.

[Nathan]

Quote:

Originally Posted by darksoul

yup, it has a shit load of bugs.
I coded it in two hours but it wont give away any substantial info if lets say it would be hacked.
Can nats say the same if someone hack them ?

Dude, you give away quite a bit of substantial info, its called SOURCE CODE and its available for the whole damn script of yours...

[darksoul]

Quote:

Originally Posted by Nathan

LOL, you are funny... I'm curious how _I_ am "clueless" about servers.. not sure how you base this on the fact that you prepared servers for nats before, but thats ok... I'd like to know what you think makes us (as in Too Much Media, yes, this is not a one-man-show, we actually have an office and employees and such) "clueless" about servers... I'm seriously interested in that btw, I like to learn...

and I'm not cocky, I'm just good at what I do.. well.. and I'm german, so my english might not be perfect...

If you are so good at what you do , do you know how "least privileges" principle
works ?
And if yes, why don't you apply it ?
Why nats gives access to the entire database to the user thats supposed
to fetch only user and passwords ?

(and I have nothing with too much media, this is between you and me cause you started the shit not your company)

[darksoul]

Quote:

Originally Posted by Nathan

Dude, you give away quite a bit of substantial info, its called SOURCE CODE and its available for the whole damn script of yours...

its called open source, lol
I dont need to hide my code behind encoders

[Nathan]

Quote:

Originally Posted by darksoul

If you are so good at what you do , do you know how "least privileges" principle
works ?
And if yes, why don't you apply it ?
Why nats gives access to the entire database to the user thats supposed
to fetch only user and passwords ?

(and I have nothing with too much media, this is between you and me cause you started the shit not your company)

Yeah, I do.. emm.. and we do not dictate what our clients use in terms of database privileges.. btw, if you think "least privileges" principle is so great, WHY THE FUCK do you tell your axscripts clients to set fucking templates and templates_c to mode 777?!? how is that LEAST PRIVILEGES?!

Seriously, people in a glass house should not throw with stones, you are looking stupid here.

Also, NATS has no single user that only fetches user and password... if you mean SPARTA setups with NATS, we actually tell our clients specifically which tables we need select and which we need update/insert privileges on...