ADULTBLACKHAT: Comus gives away 13k webmaster emails
 

This post is related to http://www.gofuckyourself.com/showthread.php?t=636295 and is dedicated to sixzero?s friends from:

Russia, China, Australia, New Zealand, Italy, USA, Germany, Amsterdam, Turkey, Korea, Europe, Asia, North America, South America, the Pacific and Africa

Lol. Now, if this guy wasn?t so cocky maybe I would?ve just keept my mouth shut. But since he has no clear intention of taking care of this heres how you can get 13k submitter email addresses from Comus.

If you read the gfy thread you will see that Comus has problems protecting some files which have no reason to be available to public, and according to sixzero they have no usefull information. Well, you guess, I tend to disagree.

EDITED BY VENDZILLA
You only need a line to get the emails from the file:

awk -F?:? ?print $2′ submitlog.txt|sort -u

Wait theres more, see: http://xxxonfire.com/comussites.html thats the list of all sites using Comus which you can easily fetch and download all submitlog.txt files. At the end of it you?ll have 13k unique webmaster emails.

If you ever wondered where all your emails are fetched from that could be one source.

If you are a webmaster running comus place an .htaccess file in the ct/includes directory with the line: deny from all, till sixzero fixes his shit, if ever.

Stay tuned for more tips and tricks :)


Tune into http://www.adultblackhat.com for more things from the dark side.

Ooooooh I mean whoa!

This is gonna be good.

I've got 13k emails handy :winkwink:

Well, that log format is pretty retarded, as is storing the md5 hash.

I've seen worse, though. It's not like you're allowed to directly input the computed MD5, and trying to find a key that matches for a hash collission would still take forever.

Interesting post, regardless!

Damn good thing I don't use it.

Gary

well......fuck......

Drama :Oh crap :Oh crap :Oh crap

wow, craziness

it has no salt so you can reverse the md5 hashes
but you've just got 13k emails you can spam.

I'd hit that.



In fact I think I will right now. LOL































j/k

Raven, Tony has been notified of the problem, He didn't give away those email address's, you did! Tony is working on a patch for that with the new release. It's not very professional to put up a thread with emails like that, you should have contacted Tony with that, or me!

I'm sure Trey its on it right now.

Read the original thread. Tony was notified a shitload of time ago.
He just needs to drop an .htaccess there no rocket sience.
And you think I'm the only one that knows this shit ?
You ever wondered were all the spam is comming from ?

Thanks For The Email List!!! Awesome!@

Dammmmmmmmmmmmmmmmmmmmmmmm!!

And because of the concern, he added that to the list of the new release he's working, don't be an ass and post webmasters email address's, you've been warned

Lets put his retarted reply here so people know how much he cares.

The email list can be found by signing up for www.weconvert.com

:1orglaugh :1orglaugh

I dont post email addresses.
But the vulnerability is there for long time and Tony full of himself said its nothing.

Ok, now that's bullshit. At least use time_t as a salt. Jesus.

Well, I'm no ass, not more than Tony.
Actually I've been quite nice because I offered the webmasters and Tony the quick solution, wasn't I ? :)
Just drop an .htaccess in there.

exactly, he wasn't probably aware of Rainbow tables.

Your the ass that's posting this, not Tony, the problem has always been a priority, got to make you wonder what your doing clicking around looking for a vulnerability and then exploiting it on your website, then making sure everyone knows about it, what an ass!

Because of what the file does, a simple htaccess file won't do it

Raven Core whats your personal problem with comus and or tony?

im sure if you would have mailed us i would have caught that email too as i do read the support emails...

So whats the problem, and whats your real nick? im sure the raven core is a nick you use to stir up shit...as it has 39 posts and is regged in sept 2006 :S

he registered today, first post he said he was going to start some shit

if thats what you think, sure.
I call it full disclosure.

Well, first of all I want to make sure the problem is fixed.
Second Tony's answer to the original thread looked like he doesn't diserve to be announced.
Afterall he has all his friends from
Russia, China, Australia, New Zealand, Italy, USA, Germany, Amsterdam, Turkey, Korea, Europe, Asia, North America, South America, the Pacific and Africa

watching his back.

you dont answer my questions really...

well, too bad you don't get the point.
Now fix that thing.

holy shit, is this forreal?

I understand Vendzilla's point of view. However, I do not agree that people who used and/or paid for the software shouldn't know this.

I have no experience with Comus, have very limited experience in the adult webmaster world, but have been around the Internet since 9600bps modems. Based on the little information I know, it is unlikely that the people using Comus would have gotten an email from the scripters saying that this information has been exposed.

The downside of exposing a hole like this is that you also let people who are going to use the information for bad purposes know about it too. If that's the price people have to pay for getting to know that they've been exposed, then so be it; but by no means should this issue have gone unoticed by the customers of Comus.

I do see a clear intention of Raven Core to give Comus a bad name, but he's not lying about the main issue: Comus has a hole. That's a fact. Furthermore, readers should not be distracted by the whole "Comus sucks"-themed posts and they should look and focus on the real problem. Call me Master of the Obvious, but that's the way I see it.

The fact that I got to see the links that were posted in the first post confirmed the seriousness of the issue. If I hadn't seen them, I'd be calling bullshit or at least have my doubts of how bad the problem is.

:2 cents:

How far away is the fix?

Bad juju...

this always happens with full security disclosures, if the makers of the software were warned and hadn't done anything in a timely manner to fix the hole .... then I think you can't blame the guy for making this public.

anyone that knows about Comus knows that it's always growing, I've been using it for several years and have seen loads of changes. Tony is always working on improvements. Many people in the industry know and respect Tony for his work and the support you get with comus, it has more customizing capibilities than any other TGP script. Then someone comes in, probably a fake nick, and bashes his company. Never contacted him, if he did, he would have known it was being worked on. But instead decided to post the list of those webmasters for the spammers.

this hole has been there for a LONG fucking time, and sixzeros has talked about fixing it for the same amount of time....um...hello? when is enough enough? just fix the damn hole already, LOL, stop talking abut how you know it is there, and DO something about it!

Vendzilla, if you want to edit his post, you should maybe edit his site reference as the exploit is given there in full.
WG

NO, Tony did... I have seen this same shit over and over again. Someone tells him that something is fucking broken and he acts like it is no big deal. Hacking isn't being able to shoot a large canon at something and then come in through the enormous hole that was created. Hacking is finding the smallest problem and then exploiting it.