I've seen code by the tmm guys, i seriously doubt there are any sql injection issues in nats...

Panchodog has had the admin locked down via specific full IPs for a very long time now.

Then you're a bad coder. :2 cents:
It's just that simple.

Any input from NATS on this matter? I find this very disturbing, need a little reassurance please John

preventing sql injection is not rocket science, buddy.

Please don't patronize me. I've worked very closely w/ NATS and CARMA since they were in beta.
I have personally tested and proved SQL injections against NATS and CARMA [and dutifully reported them]. I have looked at the source of both, and literally just took a scroll through it again. There are exploitable areas. I haven't seen a mysql_real_escape_string anywhere in the code I saw, and 6 months ago, there were definite issues. HTML_special_chars / [and god forbid] addslashes and the ilk are not sql protection.

Check out - http://www.gofuckyourself.com/showpo...&postcount=218

I know programmers love to piss on each other, but the fact of the matter is that basically ANY script online is susceptible to attack, whether it be by the script itself, or the frameworks that support it.

John said in this thread that he's emailing all NATS customers. You haven't received that email by now?

Interesting...
How many people have access to the open source of NATS? Surely the only way to know where these exploits are, if what you say is correct, is to have access to the source.

How come you have access to the source?

You may be right, or they may be doing their escaping in the nats_db_query function or relying on magic_quotes_gpc. I don't have access to the nats source, but I'm working on a project with TMM and from the cleanliness of their code, I doubt they would make some noobish mistakes like not sanitizing user input.

A lot of exploits are found by brute forcing. Even public live distros like Backtrack have huge DBs of exploits you can just run over a site / server looking for penetration points.

I don't have the full source, I just have it for a few key files that were left on my server after a tech did an upgrade. TMM knows I have seen them, and I promised them to pass on any info I saw in there that might cause problems, and I have :)

why do you care, you don't even have an affiliate program

Perhaps his details have got into the wrong hands if hes joined nats programs :2 cents:

The TMM login name seems pretty generic and long. AFAIK, there isn't one master access user/pass that accesses all installs.

John said in another thread that it "fully appears to be a compromised password list", so I guess the TMM passwords all got out somehow.

Looks like that's all closed now as he also stated "We have changed our policy so that we no longer maintain ANY passwords to ensure this does not happen via us ever in the future"

So, to summarise, since John's last post has gotten buried in a lot of FUD

It looks like a password list has gotten out so NATS owners should contact TMM to see if their customer data has been compromised. OC3 ([email protected]) have also said they can help people with this.

TMM have or are in the process of changing all TMM passwords throughout their client base.

TMM have now taken additional security measures by not storing all passes on their end to prevent this happening again.

TMM are adding additional security measures (1-way encrypted passes) in future NATS releases.

So, if I'm not mistaken, any current NATS owners should now be secured (or over the next day or two) from further compromise via this route.

But, in all, everyone, nomatter what software you use, should take database security very seriously and daily audit any accounts (ssh/mysql/web-based) that have privilege access.

Looks like this issue has come to resolution, so I'm off to enjoy my holidays :thumbsup

It wouldn't be the first time it had happenned and it wouldn't be the first time someone got an admin's password and used it on other machines either.

I thought NATS were more security conscious than most though

The lawsuit might be coming, but in a different direction.

NATS haters unite..lol. TMM is awesome and unliKe most other companies in the industry are on the problems before or as they happen. Its funny you see the shady programs come in here to bash nats when they are the most suspect. Your stats scare the shit out of me....0/10ooo+.

DO NOT TRUST PROGRAMS THAT HAVE CUSTOM BACKENDS. THEY ARE THE ONES TO WATCH FOR.

thats funny because they were aware of this problem many moons ago and yet instead of fixing the problem they put the blame on their customers. meanwhile MY personal information was stolen.. that doesnt sound like being "on the problem" this issue has been going on for MONTHS.



you must be the "exception" to the rule , i have never seen any sponsors "bashing" nats , and i think any long term webmaster has noticed non-nats sponsors perform better as a whole.

like nastydollars and bangbros , industry leaders ?

p.s. i should also mention at this point that one of the only sponsors i have heard from that WASN'T hacked was mayors money, and this is because THEY went thru extra security measures above and beyond.

big props to mayors money, your info is secure

i wonder if one of their security measures will be to listen to their clients and stop blaming their customers for their own security problems.

http://www.mayorsmoney.com/
http://www.score-group.com/
http://www.evilgneiuscash.com/
http://www.dukedollars.com/

I haven't checked everyone and as I do have updated - corrected them. Thus far, these 4 programs do not have any logins from that IP.

This is a short list of the SEVERAL that use the NATS built in security features that protect your members, webmasters, and admin data.

NATS has the security features already - question is which sponsors are using them?

While that certainly is a possibility, there's no indication that this has occured.
It so far just appears to be a harvest of emails

You need to be checking not for just that IP, but *any* IP on the TMM account that isn't TMM's (67.84.12.95)

Mod to above post, wrong URL for score, duh..

http://www.score-cash.com/ (clean program)

Aye, I know this.. When the NATS systems are IP locked, nobody but the allowed IP's can access the backend.

i would find it very unlikely they "only" grabbing emails of members.

the bot is likely used to maintain the list thats why it accesses so often but the affiliate info would likely only be grabbed once making it alot harder to spot amongst the hundreds of email grabs :2 cents:

Why do you care, you are just a contest whore, amazing you are actually posting in a thread that is not a contest, you silly fuck.

True since they full access they probably collected much more... I just posted what we discovered back in October 2007

https://gfy.com/fucking-around-and-business-discussion/794159-nats-issue.html

Perhaps I'm misremembering, but I coulda sworn that affiliate passwords were displayed... is the encryption something that's changed in the last eighteen months?

And even if passwords are not available, I do, certainly, remember the 'become reseller' option... can affiliates examine their own password via their account's interface, or no? If "no," maybe the case is that I've misremembered, and would appreciate confirmation on that.

Been awhile, and I don't have an updated version of NATs in front of me to play around with.

Add TastyDollars to that list.

We had 1 login from that NATS admin account and the date matched on the day they were doing some work for us.

We have also deleted that account just to extra carefull.

Ray

I wonder if anyone tried to warn people a long time ago that they had serious security issues but was bashed by all the guys John bought drinks for.

Yes, this is true. Both affiliate (including admin users who are stored as affiliates) and members (surfer joins) are stored in plaintext.

PURE FUD.

QuickBuck has not been compromised in any way.

You're a fucking moron :thumbsup

:thumbsup:thumbsup

then again , if the head programmer at nats has his password compromised its likely they "could" use nats ip to connect and get the info the same way.

Raises hand.

You're just an idiot that nobody takes serious. You didn't warn anybody of anything. You don't have nor have you ever had any insider information about nats or anything else. Again, you're just a broke tool.

You're a fucking dick. Thanks for the compliment.