MPA3 compromised ? - GoFuckYourself.com

commonsense · 05-02-2008, 05:10 AM

Quote:

Posted: 04/30/2008
LOS ANGELES - A routine audit of source code for MPA3 found a "mySQL injection," but the company said the matter has already been resolved.

Oystein Wright, CEO of Mansion Productions, the parent company of MPA3, said the injection meant someone could have added strings to the variables MPA3 uses and extracted some information from the database.

The company that conducted the audit notified officials from MPA3 about the issue Monday, and MPA3 officials checked and verified the issue, Wright said.

"We prepared a fix and started updating clients' programs right away," he said.

Clients were notified of the security issue findings and the implemented fix via email, Wright said, adding that, "To date, no information has been lost or compromised that we know of."

"We did get feedback from a few clients asking if their programs had been fixed, and they were all happy to hear that they were," he said. "I have yet to get a single complaint, and I believe it is because we made the necessary changes to secure their programs as soon as we found out about it."

Link to full story

GrouchyAdmin · 05-02-2008, 05:13 AM

That's an oops.

StuartD · 05-02-2008, 05:23 AM

Yeah, they "fixed" it by telling programs to restrict IP's to the admin section.
There are ways around that as well. What all else has been fixed since then, I don't know.

The entire exploit has been posted on a bunch of places around the net. So fixing it as soon as they were informed about it likely didn't avoid much damage since it could have been around for some time before that.

I wonder if minuseonebit will/would go after them with the same vigor he did for NATS.

YellowPages · 05-02-2008, 05:43 AM

Anything plugged in to fiber is vulnerable.

Coding core using safe practices is the best safeguard against PHP and MySql injections, but that doesn't just secure anything and everything.

The important part is recognizing and correcting and weak points in potentially vulnerable scripts.

People try to inject my scripts all the time, it's a fact out here.

The best thing I can do to protect myself is to use safe coding practices instead of shortcuts, and to buy safe coded commercial scripts and even check them myself if there's any doubt as to their security.

If Oystein is fixing it/has fixed it, then great.

It's still vulnerable. It's plugged in.
So is my bank.

My bank had good software, so does Oystein.

YP

Jens Van Assterdam · 05-02-2008, 05:43 AM

and you guys still wonder where all the passwords in password forums come from..?

mrkris · 05-02-2008, 08:22 AM

It happens. The best of developers can screw up. All it takes is a long day of coding or lack of sleep to accidentally skip over sanitizing user submitted data.

Atleast he had it fixed (in some form)

Nookster · 05-02-2008, 08:48 AM

One of the easiest flaws to deal with yet thousands of developers (or I should say amateurs, rather) continue to not protect their sql scripts. I find it simply amazing.

NETbilling · 05-02-2008, 08:49 AM

MPA is solid and they are very proactive.

Mitch

05-02-2008, 05:13 AM	#2
GrouchyAdmin Now choke yourself! Industry Role: Join Date: Apr 2006 Posts: 12,085	That's an oops. __________________ AIM: GrouchyGfy

05-02-2008, 05:23 AM	#3
StuartD Sofa King Band Join Date: Jul 2002 Location: Outside the box Posts: 29,903	Yeah, they "fixed" it by telling programs to restrict IP's to the admin section. There are ways around that as well. What all else has been fixed since then, I don't know. The entire exploit has been posted on a bunch of places around the net. So fixing it as soon as they were informed about it likely didn't avoid much damage since it could have been around for some time before that. I wonder if minuseonebit will/would go after them with the same vigor he did for NATS. __________________ This is me on facebook This is me on twitter

05-02-2008, 05:43 AM	#5
Jens Van Assterdam The Dupre Pimp Join Date: Feb 2008 Location: Koh Samui Posts: 6,677	and you guys still wonder where all the passwords in password forums come from..? __________________ Read TOS for signature rules

05-02-2008, 08:22 AM	#6
mrkris Confirmed User Join Date: May 2005 Posts: 2,737	It happens. The best of developers can screw up. All it takes is a long day of coding or lack of sleep to accidentally skip over sanitizing user submitted data. Atleast he had it fixed (in some form) __________________ PHP-MySQL-Rails \| ICQ: 342500546

05-02-2008, 08:48 AM	#7
Nookster Confirmed IT Professional Industry Role: Join Date: Nov 2005 Location: Hollywood, CA Posts: 3,744	One of the easiest flaws to deal with yet thousands of developers (or I should say amateurs, rather) continue to not protect their sql scripts. I find it simply amazing. __________________ The Best Affiliate Software, Ever.

05-02-2008, 05:43 AM	#4
YellowPages Shooter Pinks Industry Role: Join Date: Mar 2008 Location: My wife's website. In bed. She's naked ;) Posts: 150	Anything plugged in to fiber is vulnerable. Coding core using safe practices is the best safeguard against PHP and MySql injections, but that doesn't just secure anything and everything. The important part is recognizing and correcting and weak points in potentially vulnerable scripts. People try to inject my scripts all the time, it's a fact out here. The best thing I can do to protect myself is to use safe coding practices instead of shortcuts, and to buy safe coded commercial scripts and even check them myself if there's any doubt as to their security. If Oystein is fixing it/has fixed it, then great. It's still vulnerable. It's plugged in. So is my bank. My bank had good software, so does Oystein. YP

05-02-2008, 08:49 AM	#8
NETbilling Confirmed User Industry Role: Join Date: Jan 2002 Location: Huntington Beach, CA Posts: 8,588	MPA is solid and they are very proactive. Mitch __________________ Mitch Farber CEO - NETbilling, Inc. Email / Phone: 888-357-8166 / 661-252-2456 Transaction processing & 24/7 call center services with exceptional rates and flexibility, since 1998!