yep comus is handing out too much informationincluding IP's
 

been pokin around in comus thumbs and found that on a default install the following is world viewable

http://some tgp.com/ct/dat/raws
/ct/dat/alog
/ct/dat/cstats.dat
/ct/dat/dailytotals
/ct/dat/history
/ct/dat/ip/log
/ct/dat/raws
/ct/dat/uniques

it even gives out the administrators IP to fix ssh into your host

drill down to ct folder

chmod 622 dat

bump for day crew

oh shit......

yep I cant believe this thread went un noticed

wayyyy to much info

I just did a test hack and with the information provided above it is possible to take ove the comus site using nothing but the information in

/ct/dat/alog

which includes the authorized IP as well as the user name and other info :warning

Did you hit up SixZeros? I don't think he's around here much. VendZilla used to take care of the boards for him but now he's with Playboy so I'm not sure if someone took over his duties.

part of the program.. maybe had significant on it

dont use comus, smart thumbs guy here, better report it on their forum.

hmmmm

sure is kinda strange
but only info i could find was the ip addys

no login user names?

tested it on my comus site

Me either. Different setups or is that the smell of BS?

why is showing the ip address for the domain that important. just nslookup the domain and you will get the ip, nothing special there

i have the same shit
but then again.. i only run it on one site atm.. and that one i hardly use

it also shows what you DONT want ppl to know
ct/dat/alog shows IP addy of the admin
you can then easy try to sniff or hack that box
if you suckseed :P then you can sniff the passwords or steal info from him/her/them for epassporte/programs/sponsors/sites you name it

you know replys like this and a few other clueless wanna be webmasters is the reason I keep most of the stuff I find to myself

if you used comus you would know that the username is built in ( it dosent ask for one)

it authenticates against the IP

there is other information there but im not going to tell you how to read the data ( i make script kiddies look stuff up)

the admin ip for comus thumb installs is the same as the domain

you not even need to sniff the IP this can be exploited with ready made downloadable tools that can pass *spoofed IP's* to the script and brute the built in username

plus more

whats funny is why is the folder hidden if viewing the site via FTP?? was this on purpose??

pretend you are a hax0r do you think you would be able to do anything with this info:pimp


http://www.thumbangels.com/ct/dat/alog

jayeff, is neither an instigator nor 'a clueless wannabe webmaster' he was simply trying to distinguish if he had a different setup, has a different version or if it's the regular GFY sunday morning drama for your momma. Legitimate question I'd think.

It's a good thing people keep finding flaws but describing and giving clues how the flaw can be detrimental to the server and site owner, on a board where loads of people with time, know-how and desire to screw over their mother, isn't a good thing to do. *Hey, but that's just me*

If you've already attempted to advise Comus about it a few times and nothing was done, then I understand why you're putting it out there and making the users aware of how the rest of their stuff can be compromised.

he means the admin connecting to it...

ok sorry didnt mean to call him a clueless webmaster

just pisses me off when the first thing a person says is oh its BS etc etc

I didnt give away anything as far as how to exploit the information and the majority of the people on GFY do not have the know how I doubt half know HTML or PHP or any other web launguage just my :2 cents:

ok back to work

if someone has contact info for the script writer please contact him/her

That's ok :) For the record, I hit up anybody and everybody that could possibly reach them. My only problem is I can't find VendZilla on my damn Trillian this morning - maybe he got kicked off - he'd probably have their telephone number. I hope his ears are ringing and he'll take a look here :)

I am sure tony will look into this he is a sharp fella and a good businessman.

disclosure bump

This post is bullshit.

If you have a problem with Comus.. use our forums or if you have an emergency contact me personally.

My phone number is on the front of my website and my forum has personal messaging, my support email is checked every few hours...

If you think you can do anything with this information.. OTHER than actually trace a REAL hacker who is trying to get access to your system, then go for it, but expect to be busted. Yes this information is very handy when you need to catch someone.

Comus makes extraordinary efforts to stop, trace and track hackers, yes everything is recorded, if you think you can hack Comus and we wont find you then you're an idiot.

Just ask some of the guys out there that we've helped to protect.

Special thanks to all my friends in Russia, China, Australia, New Zealand, Italy, USA, Germany, Amsterdam, Turkey, Korea, Europe, Asia, North America, South America, the Pacific and Africa for watching our backs.

And special thanks to Joe for contacting me personally about this.

wasnt trying to stir up anything thanks for looking into this

PussyNegro just got owned. :1orglaugh :1orglaugh




Thanks for that SixZeros. Great script too. :thumbsup

and for the record I love Comus Thumbs








Jimi eat shit swamp rat

You first, silverback.

I just found this thread, I was offline for the weekend, My role with Comusthumbs hasn't changed, I just need a weekend off every once in a while!

i think you mean this thread is bullshit , if the post is bullshit that means your full of shit :1orglaugh

I dont think the lad meant any harm. I don't agree that allowing this directory to be publicly accessible is better for customers than having it private, might as well hide that directory unless theres some burning need for it to be open right.. regardless of the small chance it would help a hacker gain access to your site or you , no chance is better than a slim chance in my books..

K didn't know - tried to find you on my list and poof, you're not there - Trillian must be screwing with us today :(

I'm translating that to mean the following, let me know if this is correct: