GoFuckYourself.com - Adult Webmaster Forum

GoFuckYourself.com - Adult Webmaster Forum (https://gfy.com/index.php)
-   Fucking Around & Business Discussion (https://gfy.com/forumdisplay.php?f=26)
-   -   MPA3 compromised ? (https://gfy.com/showthread.php?t=825875)

commonsense 05-02-2008 05:10 AM
MPA3 compromised ?
 
Quote:
Posted: 04/30/2008
LOS ANGELES - A routine audit of source code for MPA3 found a "mySQL injection," but the company said the matter has already been resolved.

Oystein Wright, CEO of Mansion Productions, the parent company of MPA3, said the injection meant someone could have added strings to the variables MPA3 uses and extracted some information from the database.

The company that conducted the audit notified officials from MPA3 about the issue Monday, and MPA3 officials checked and verified the issue, Wright said.

"We prepared a fix and started updating clients' programs right away," he said.

Clients were notified of the security issue findings and the implemented fix via email, Wright said, adding that, "To date, no information has been lost or compromised that we know of."

"We did get feedback from a few clients asking if their programs had been fixed, and they were all happy to hear that they were," he said. "I have yet to get a single complaint, and I believe it is because we made the necessary changes to secure their programs as soon as we found out about it."


Link to full story

GrouchyAdmin 05-02-2008 05:13 AM
That's an oops.

StuartD 05-02-2008 05:23 AM
Yeah, they "fixed" it by telling programs to restrict IP's to the admin section.
There are ways around that as well. What all else has been fixed since then, I don't know.

The entire exploit has been posted on a bunch of places around the net. So fixing it as soon as they were informed about it likely didn't avoid much damage since it could have been around for some time before that.

I wonder if minuseonebit will/would go after them with the same vigor he did for NATS.

YellowPages 05-02-2008 05:43 AM
Anything plugged in to fiber is vulnerable.

Coding core using safe practices is the best safeguard against PHP and MySql injections, but that doesn't just secure anything and everything.

The important part is recognizing and correcting and weak points in potentially vulnerable scripts.

People try to inject my scripts all the time, it's a fact out here.

The best thing I can do to protect myself is to use safe coding practices instead of shortcuts, and to buy safe coded commercial scripts and even check them myself if there's any doubt as to their security.

If Oystein is fixing it/has fixed it, then great.

It's still vulnerable. It's plugged in.
So is my bank.

My bank had good software, so does Oystein.

YP

Jens Van Assterdam 05-02-2008 05:43 AM
and you guys still wonder where all the passwords in password forums come from..?

mrkris 05-02-2008 08:22 AM
It happens. The best of developers can screw up. All it takes is a long day of coding or lack of sleep to accidentally skip over sanitizing user submitted data.

Atleast he had it fixed (in some form) :thumbsup

Nookster 05-02-2008 08:48 AM
One of the easiest flaws to deal with yet thousands of developers (or I should say amateurs, rather) continue to not protect their sql scripts. I find it simply amazing. :disgust

NETbilling 05-02-2008 08:49 AM
MPA is solid and they are very proactive.

Mitch


All times are GMT -7. The time now is 09:14 AM.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123