possible NATS exploit?
 

Can anyone confirm or deny this information?

http://www.gofuckyourself.com/showthread.php?t=630815

:helpme :helpme :helpme

I guess that the script connects to a nats site and sponsors get it down for too many requests.

lol, you're so clueless.

I have n o idea.

Sounds more like a more serious problem at first sight

neh, the database on that server its fucked up.
nothing directly related to nats.

What about the other programs that also do not seem to work ?

Anyway its getting popular so everybody will start finding bugs for it soon.

Do you have any more inside knowledge than the rest of us ?

No, but happens with everything... phpbb... vbulletin... windows...

oh well, seems hackers are everywhere

is this for real?

Read the other thread

some nats programs are ok

NATS isn't open source.. security through obscurity.

There are Zend decoders now, though.

nor is vbulletin or windows

I was talking about the posibility, i dont really know how Nats works or what they offer.

What has Zend to do with this ?

ok, so it seems only some programs are having problems. Could this be related to a certain version or is it may be a mysql problem ?

Just a matter of time i think.. all adult-cms had/have bugs..:disgust
mpa,sitdepth and so on :(

Has any of them exposed already ?

There wasnt a public advisory as far as i know but i said it here allready http://www.gofuckyourself.com/showthread.php?t=629368

Thx for the info

This is not a NATS bug, its neither a NATS exploit.

People that do not understand errors should not throw around words like "exploit"... what other programs do not work right now? I only know of this one problem with panchodog.

The error with panchodog is a mysql problem, not a NATS problem. Just because NATS is so nice and actually produces intelligent error displays for the client does not mean its a damn NATS problem or exploit!

This is what I was thinking also. lol This whole thread is da silly. Dumbest thread of the day?

http://affiliates.panchodog.com/signup.php?nats=
I wouldn't consider this an intelligent error

Lol.. ok, if ya say so...

What would be intelligent?

"Sorry, but there is a problem, please come back later."???

So the client has to sit there and figure out for hours what the issue actually is?

The page tells you EXACTLY what the problem is, thats the whole point of an error. Just because YOU do not understand it does not mean its not a correct error.

haha
listen, now you got me mad,
you're a fucking idiot, I know better than you what that means
You shouldn't disclose informations to the public moron
A message like
"A mysql error was found" would've been more intelligent
than telling all the world where nats is installed so it can be abused
when a bug is found.

That shit is called "path disclosure" look it up genius.

Also, You don't have to display errors on the site for YOUR customer to
see it. Those can be logged separately.

Your error just told me:
the panchodog server is running freebsd
theres a table called accounts in nats
nats is installed in /usr/home/natsinstall
panchodog is running version 3.0.29
- this appear to be wrappers around pear functions.

DO YOU REALLY NEED TO GIVE THAT INFO TO THE PUBLIC
YOU are so fucking intelligent and so are your errors

I advice you to not fucking reply to this thread anymore!

Sorry I made you mad, lol...

oppinions, oppinions.. everyone and their mother has one...

We create the errors in this way so the clients notice them, we know our clients... The location disclosure of NATS itself is also no problem because in now-a-days exploits the path can be retreived anyway, its not so hard ya know, people that use exploits will find it fast anyway (in case they even NEED it, which is not even the case)... There is a reason why not even apache has a problem with disclosing full paths to websites, nor does PHP on standard php errors...

We tried many different error displays in the past, we also had it turned off totally for some time and only did logging, we had too many clients get problems because of it and this way simply fixes things faster (98% of the time)...

The errors do not disclose information that could not be retreived in many other ways if you want to exploit someone...

LOL... you threatening me somehow or what? Chill man, its just an error.. and we have reasons for a backtrace, I'm so sorry that you disagree with how we do things.... live with it...

Dude, that's not exactly difficult to figure out, even without an error message.

I see you ignored my advice.


You just called your clients idiots, good job! You probably know that for a fact cause they chose you!




dude, look at all the data I fetched from a simple error
I don't want to think how much shit can be fetched from your script.

You are supposed to take security seriously and not this fuck it attitude.
Just because it can happen in other ways doesn't mean your script has
to allow it.

and you'd know how ?
I'll give you one day to show me that data without using nats.
if not you'll have to build 100 galleries for epictrash

the advice was so that you don't get me even more mad and show more about what pos your script is.

I did not call our clients idiots, far from it.. all I said is that we know our clients well, and we know what they want and ask from us ;)

The errors are created like this for a reason, I told you that plenty of times, if you do not understand or agree, thats not my problem, its yours...

The information disclosed in no way is a problem, it only helps us and the client, and thats what it is there for...

BTW, I just looked at axscripts.com, a friendly advice... you might want to reconsider posting here...

Again, sorry that I made you mad... kinda sad how easy it is to get you mad though...

And hey, if you know of bugs in NATS (guessing that is what you mean by "what pos your script is"), please do tell! I'd love to know them so we can fix them (in case we have not already in our latest version)

Because I have a working knowledge of php and sql. Considering what you do, I'm shocked as hell you're making such a big deal out of this. Every fucking script I know of displays at least SOME path info in error messages when there are DB issues. There are also 50 million ways to find that info out even without an error.

Your motivations in this are more than a little suspect.

You don't dictate ANYTHING to me, btw.

random bump

PS, on that lame little support forum for that shitty little trade script you have, there are several posts discussing errors of a similiar nature, AND displaying similiar information. IE. paths, etc.



Does that mean that POS you spam has an exploit?

LMA0

Fact is I prepared a bunch of servers for nats and I know how clueless you are
about servers and when you tell me I dont understand a mysql error yea it gets me mad

you are so cocky!
but thanks, I've wasted enough time on it.

Dude! I didn't said no script has them.
It just give too much information and I don't call that an "intelligent error"

yup, it has a shit load of bugs.
I coded it in two hours but it wont give away any substantial info if lets say it would be hacked.
Can nats say the same if someone hack them ?

LOL, you are funny... I'm curious how _I_ am "clueless" about servers.. not sure how you base this on the fact that you prepared servers for nats before, but thats ok... I'd like to know what you think makes us (as in Too Much Media, yes, this is not a one-man-show, we actually have an office and employees and such) "clueless" about servers... I'm seriously interested in that btw, I like to learn...

and I'm not cocky, I'm just good at what I do.. well.. and I'm german, so my english might not be perfect...

Dude, seriously. How is it NOT intelligent?



NATS has found a problem

DB Error: Can't open file: 'accounts.MYI'. (errno: 145)

/usr/home/natsinstall/nats/includes/database.php:430



That gives you the db name, error code, file thats making the call and on what LINE of code the call is being made from.


I just don't get you. lol

I don't see how that could be more clear.

Dude, you give away quite a bit of substantial info, its called SOURCE CODE and its available for the whole damn script of yours...

If you are so good at what you do , do you know how "least privileges" principle
works ?
And if yes, why don't you apply it ?
Why nats gives access to the entire database to the user thats supposed
to fetch only user and passwords ?

(and I have nothing with too much media, this is between you and me cause you started the shit not your company)

its called open source, lol
I dont need to hide my code behind encoders

Yeah, I do.. emm.. and we do not dictate what our clients use in terms of database privileges.. btw, if you think "least privileges" principle is so great, WHY THE FUCK do you tell your axscripts clients to set fucking templates and templates_c to mode 777?!? how is that LEAST PRIVILEGES?!

Seriously, people in a glass house should not throw with stones, you are looking stupid here.

Also, NATS has no single user that only fetches user and password... if you mean SPARTA setups with NATS, we actually tell our clients specifically which tables we need select and which we need update/insert privileges on...