CjOverkill 2.0.2 released to fix a severe security bug
 

CjOverkill 2.0.2 has been released today in order to fix a severe security bug that allows any malicious webmaster to steal traffic, admin credentials and insert malicious code into the targeted site.



Other products vulnerable to this kind of bug are:

TTT, CjUltra, Traffic Drive (all these tested).
Also could be vulnerable EPowerTrader, but I did not get a copy where to test this one.

These scripts creators have 24 hours to contact me for the bug report and proof of concept code (for $100 on paypal). Or to whoever who wants it during the next 24 hours for $150 on paypal too. After these 24 hours the bug report will be available for free to any of my private security database subscribers and any other admin or webmaster who wants to pay $50 on paypal for that.
After several days and the big part of the sites using these scripts get fixed the exploit code will become available to whoever requests it (with testing and research proposes) for $25 or for free (still not decided).

Bug Allows:
Only using a browser and very little knowledge, to steal traffic, put a popup or any other code.
With a bit of more knowledge, steal the admin auth credentials and access to the admin area.

NOTE: no info will be disclosed during the next 6 or 12 hours untill all the CjOverkill driven sites upgrade their version.

For blames, screams or other stuff contact ICQ: 171216535

Kind of like a ransom. How nice of you.

If it is what I think it is, it's been there for years, and there are already quite a few people who know how to take advantage of it. I believe it's even been reported to Lane once, but he didn't do much about it from what I've heard.

This tactic is indeed like asking for a ransom though. It does not give a good impression at all.

As long as my users are ok I don't give a fuck about other script users, but someone could want to know what's the problem and how to fix it.
The only reason to not release the bug report for free is because my work is not free and I took my time to research it and make some tests.

You can like my methods or not. I don't care about that. The only shure thing is that my users already have the patched code available and do not need to care about that bug.

Bad attitude towards potential customers, and even worse image to present yourself with in the business :2 cents:

Agreed.

Kinda nice that you'll sell the info for 24 hours to just anyone that feels like cheating a script and fucking webmasters.

:321GFY

Dumbass

http://www.mindcontroll.com/cccc.jpg

Why not threaten to hack Sleazy's servers again. LOL.

And as potential customers they can use my product and become active customers as it has no this kind of bugs.
I guess you do not give your competitors stuff for free nor help them to fix bugs on their products. Why should I do that ?
I'd rather prefer to give them a possible solution for some small fee and/or get some customers on my side.

Also I give 24 hours because my users get the reports by email and also see the bug reports in their admin area. So that makes an active site owner to be able to see the update report in less than 24 hours.
You can imagine that I do not care how much time do other developers to release a patch, I know that my response time is 24 hours as much, so I act according to my response time and not to their response time that could be 5 days for example.

Asshole! :321GFY :321GFY :321GFY

You have a product aimed at adult webmasters and as such depend largely on your image among them. I don't. See the difference?

Now, what you could have done is just make a big-ass post about this subject saying you have gone to a new version because of this bug, and then say that the other trade scripts around also have this bug, and that you will mail their coders with details.

That would've made you look like the good guy and the more capable coder, thus bringing business to your product. Right now, however, you look like a money-hungry asshole who doesn't give a fuck about other webmasters. Guess how that'll effect your business :glugglug

I can understand selling the information to competitors as your business is the script itself and time involved to research, etc. But just selling the code to any dick, joe or harey so they can have a chance at cheating webmasters makes you look like a fucking retard.

If you'll purposely give tools to allow webmasters to be fucked, what do you think that says about you and your business?

What you guys don't get is that Icefire wrote his program for himself. He really does not care if anyone uses it. It serves his purposes and should anyone choose to use it...that's like icing on the cake.

CJOverkill is a teeny tiny portion of his total business plan. I've worked with him in the past and even then was never sure about all he had planned.

If the script owners aren't interested in bug fixing their products, shouldn't the users have a right and means to protect themselves? I didn't see any mention that he was looking to sell his code to cheaters.

Good job Kel...no one else here would work for free, I don't see any reason that you should either. Keep it up! :thumbsup

:1orglaugh :1orglaugh :1orglaugh :1orglaugh

I can't see any diffenrence between selling that code and selling a hitbot.
A hitbot coder don't work free either and he is allso fucking careless if anyone use it.

You are worse then a fucking terrorist and scum sucking maggot which this is going to cost you too my friend "I PROMISE". If any of my sites or customers sites have a single problem after your ststements i will personally be on a plane to your house to hurt you very bad. You dont know who your playing with little boy and i hope you dont think im one to make empty threats or that would be a very big mistake.

You and you little pal better hope your sites dont go down and you server does not get hacked and more then anything that i never catch you. If i do catch you even your own mother wont recognize you when im done. :boid

You know what happens to extortionist and those who defend them?

Be careful what you say or you might end up paying the consiquences for your statements. You boys are messing with the wrong people and this is enough when it puts my business at risk. Its bad enough he ripped the TTT to build his script around the TTT engine. But keep pressing the issue about his hard work stupid boy i will love to knock some sense into your warped little mind.

Bunch of haters :321GFY

Keep up the good work! :thumbsup

:1orglaugh :1orglaugh That's what I was thinking!

jDoG

Thank you for the input sir. As you are not my customer I don't give a fuck about your complains about somebody else product problem.

I am very sorry but I do not give security audits and patches for free (except if I think there is some fun with that and I did that in my free time)

Have a nice day :)

PS: next time the exploit code and bug disclose will be released directly in the wild and for free after all my customers have updated. This way you will probably feel better. For now it's a non disclosed bug (you know it's there but you don't have the info about how to exploit it), so don't piss me too much because my patience is not infinite. You prefer all the people to have access to an exploit code affecting lots of people or several well located people who can be traced if problems start to happen? Also if someone pays for some exploit code most probably he does that because he wants to fix it and not to use it against some other sites. If you make some math it's better to buy $100 in traffic than stealing probably way less than that after all is fixed around.

Just think a little... exploits for all the 16 years h4x0r kids for free, or bug reports + possible fix for well known people who know what they do and you know who they are in case of something goes wrong around?

So basically what you are doing is finding exploits in other scripts and selling these to anyone with the money? If you are making so much money, why are you bothering with this little stuff? Maybe I should offer $1000 for someone to find exploits in your script that btw any TGP using is blacklisted in Findtrades.com anyway. I will then just give the exploits away to everyone for free. You really need to rethink your strategy here. If you did indeed find a exploit you need to give it to the writers without charge. You also need to post here once and for all about this Candyflip idiot who seems to have a crush on you. Is he your business partner or not? Don't start a war you will not win. Your ethics are showing thru dude. You cannot come up with a original idea of your own so you steal and modify my code. You must wake up in the morning feeling pretty good about yourself, eh?

Icefire and I were teamed up at one point in time, but are no longer. I had some personal issues to attened to and couldn't devote as much time as I would have liked to the project. There was no need for him to stop on my behalf. I've got my own small project in the works, and it's mostly thanks to him.

He's still a friend who I think does great work and I'll be right here to back him up anytime I can.

According to a icq I had with him he does not even know who you are punk. He said you are freaking him out just like you freak me out. You are one wierd motherfucker dude. You think you are cute with all your smartass big talk. Your warnings from me are over. You constantly stick your nose in others business. You fuck with peoples business for the sheer fun of it, you think you can continue this childish behaviour forever?

Ok, let's go...

1 ) Yes please. pay whoever you want. I will be pleased to get a free security audit. Really no joke.
2 ) If you did indeed find a exploit you need to give it to the writers without charge... Sorry sir, this concept is quite strange for me. Do you give traffic for free to anyone who reports a gallery cheater on your program?
Also the last time I reported a bug regarding another product (your product) for free I got banned, you blamed me a lot and at the end it was not a good experience, so now at least I get money for my work if someone wants to pay.
3 ) My business partners are not of your incounvence (or whatever the word is). And no, candiflyp is not my partner but we still have some small business together and have a good friendship, so you can still keep us in your blacklist :) And according to the attacks on our servers in the past. It was not candiflyp as I traced it to another person (at least the attacks on my server).
4 ) My ethics are quite simple. I give the code and bug disclose to script writers during the next 24 hours of the patch release. If they are not interested it's not my problem. After that the exploit comes to my database as I have lots of clients working as security auditors and probably they will not be happy to get fucked some client site because of a stupid bug.
5 ) I sleep good, thanks.

And yes, candiflyp freaks me from time to time when he start his big dramma threads :) but this is not your business.

Can't we just all get along? :helpme :1orglaugh

Well yes when it affects me it becomes my business. But what is happening to you and your sites in the next few days is none of my business, nor am I the one doing it. So when your shit falls apart don't do like you did last time and attack my servers. I have absolutely NOTHING to do with this. I warned you that sooner or later you will step on the wrong toes and get fucked. You have made many enemies with your unethical behaviour. Don't go pointing your finger at me when someone lays the smack down on you. This is not my way of taking care of things. I just blacklist every tgp that uses your stolen script. That is all I do. That is all that is needed.

Anyone who has ever thrown two lines of code together and bothers to look can see that this script is a blatant rip off of TTT.

Does the fact that both scripts have the same vulnerability say anything about their origin?

Probability that Icefire wrote this script for himself: zero.

Probability that Icefire is a lying, thieving extortionist: 100%.

The only bigger idiot than Icefire is anyone who uses "his" script and sends him 1% of their traffic.

Any trading script author who wants to know what this vulnerability is and how to fix it, PM me and I will tell you for free.

This is an old and obvious vulnerability.

If you have TTT and are worried, set your script to only accept trades in the findtrades database. That will mostly protect you. You can achieve total protection without a new version of TTT, but I can't say how without giving away the vulnerability, which I am reluctant to do here.

There is a simple technique that every web developer should be aware of and use to automatically to counter this type of problem, but I am reluctant to mention it in this context. No professionally written script should ever have this problem.

You're one funny guy Choker, always good for a hearty chuckle. Talk about childish behavior. You're just a big fucking hypocrite.

At that point in time it was my business...it was definitely not for fun. From Keloyan's response above, anyone can clearly see that you have no clue what you're talking about. Quite honestly...I have no clue what you're talking about either.

What's this about me attacking his server? Can I at least hear the story?

All in all, this doesn't involve me anymore.

So Choker...GO FUCK YOURSELF :thefinger

If you can get off a few days from McDonalds and go to a show, let me know and I will be sure to be there so you can say this to my face. In the meantime why don't you post all your domains here so we can all have a big laugh.

what an asshole.

If you can make a fix for TTT and CJultra I will pay you for them and give them away for free. Of course if Lane does not object. I do not know the traffic drive dude. Nobody should have to have fixes held at ransom by these punk ass nobodies.

maybe you got a stalker

More childish behavior. Like I said man, this doesn't concern me anymore. Keep to your own sandbox and I'll keep to mine.

is this topic deserve popcorn ?

I thing so, maby a beer allso

Since his script is based on yours, the fixes he did for his script will work on yours. Except that he didn't do his right. I'll correct his fix and send it to you for free. We can discuss anything beyond that privately. I see that the GFY PM is disabled. contact me at [email protected].

I just have one question...

If you don't give a shit about other scripts then why the big "24 hours until..." show? Release your new version, stress that it's a critical security upgrade, then forget about it. It's obvious that your motives go further than merely protecting your customers.

I love watching these 3 play...... Choker, a known commodity in this biz, versus 2 nobody?s who stole his code.... always fun to watch the other 2 make asses of themselves....

:)

You can add anything you want this way into TTT linktracking page. I think it works for CjUltra too.

(Replace * with < and >)

ttt-out.php?link=*b**h1**a href=www.shitcity.com**FREE SHIT* */a*

or maby you can add some javascr|pt, I dont know..

Hmm. cats out of the bag. Here it goes:

Preventing cross site scripting attacks () in PHP:

1. Never use register_globals. This is off by default in PHP 4.2 or later, anyway.

2. NEVER trust anything from the outside world. This means anything that you get from $_GET, $_POST, $_FILES, $_COOKIES, and $_SERVER. Always validate/condition these input values. Some programmers don't realize that cookies, hidden INPUT fields and SELECT fields or any other input is easily faked.
insecure:
$x = $_GET['param'];
more secure:
$x = strip_tags($_GET['param']);

3. use mysql_escape_string when storing non-constant values into the database.
insecure:
mysql_query("UPDATE table SET field='$value'");
more secure:
mysql_query("UPDATE table SET field='" . mysql_escape_string($value) . "'");

4. If you are outputting html, pass all non-constant values through htmlspecialchars when you output them.
insecure:
echo "$link";
more secure:
echo htmlspecialchars($link);


Some scripts have problems with the five evil html characters: " ' < > and &. Some PHP scripts also have problems with $ and \. more rarely with $0 or \0.

A professional script written by a real web developer will gracefully handle these characters in any form field, cookie, or url.

Here is what changed between CJOverkill 2.0.1 and CJOverkill 2.0.2:

Interestingly, it doesn't look like vBulletin correctly handles the five special html characters in its input. So many scripts don't work correctly. View source for this page to see what the diff output should really look like.

Choker, any programmer should be able to fix your script with this info. Any other script authors can audit/fix their own scripts. I wish you the best of luck in dealing with this guy.

Script Dude :thumbsup

Oops. Forgot to mention for trade script users:

If you turn java script off in your browser while you are accessing the admin area of your trading script, then your "admin credentials" can't be stolen with this technique.

If you have no toplist, then there is no place to insert "malicious code" that might "steal traffic."

If you require trades to be approved first, then there is also no way for "malicious code" to make it into your toplist if you have one.

That is at least as far as I can see.

god bless TM3

dont forget ucj and arrowtrader ;)

UCJ is the best free script out there:2 cents:

never used arrow