While I Was Working On An Importer...

[Cody]

We're working on getting an importer working for a certain billing solution, so with the intent of adding data into the system I reluctantly log in. I get about two clicks in when suddenly, my pupils dilate, my palms get sweaty, and I begin to salivate uncontrolably. I've only been logged in for a few brief moments and already I've stumbled upon an exploit.

I'm thinking, "Okay, that was easy." But I've got work to do. We need to get some test data in there so we can verify the importer. Click, click... vulnerability. Click, vulnerability, click, click, vulnerability, vulnerability, vulnerability. Seriously?

 

A few hours of inputing data and I've discovered more than a dozen vulnerabilities, without looking. No doubt there are many more. They range from mildly amuzing, to "OH $*&! Restore backup!".

 

How do you think we should handle this situation?*

 

 

*Obviously we'll be disclosing these vulnerabilities to the proper channels... in due time.

[xison]

Would you be so kind to share with us what kind of exploits? The technical people around here enjoy this kind of stuff. Perhaps not exactly what or where (or which competitor) but at least the type of exploit? SQL injections, privilege escalation, simply flawed beyond repair?

[Paul]

It's almost annoying how vulnerabilities jump out at him. I could hear gasps of shock at my desk as he went through it.

[MemoryX2]

It's almost annoying how vulnerabilities jump out at him. I could hear gasps of shock at my desk as he went through it.

 

That really cracked me up, but it's really sad too.

[Scott Horsley]

I personally think the answer is yes. It's certainly the right thing to do.. however, I would also state to them that unless they correct/acknowledge this issue (give a window of time to them), you will have no option but to inform their community of the vulnerability also. This forces them to act on the issue rather than sweeping it under the rug.

 

If you were to publicly debunk them afterwards, then you have your communications to fall back on of course.

 

As a side note, you could squeeze in some blatant advertising for Blesta while notifying their customers when it came down to that point.

[Michael]

I wouldn't report competitors, sorry makes you better, but if someone found a Blesta (won't happen) but if it did, I'd like someone to report it to you guys. Competitors don't care about their customers why help them .

[FRH Dave]

I like the way Steven from Rack911 handles these.  He contacts the vendor first and gives them ample time and opportunity to fix the problem.  If the exploit is severe and the vendor's response is "meh", he'll then post about it on WHT.  He won't post the exploit steps or where the exploit resides, but he'll make everyone aware that critical vulnerabilities were uncovered, that the vendor was contacted on xx/xx/xx, and that their response was "meh".

 

In the meantime, do keep working on the import module.  Lots of us are eagerly awaiting an import module for our current billing system.

[Paul]

We hope to have something for you to test pretty soon Dave.

 

We will be reporting our security finds through the proper channels, in the proper way. I can only imagine what we would find if we were performing an actual security audit, and not just stumbling around like a normal user.

 

We are extremely grateful when we are contacted privately about possible security issues in our software.

[Michael]

We hope to have something for you to test pretty soon Dave.

 

We will be reporting our security finds through the proper channels, in the proper way. I can only imagine what we would find if we were performing an actual security audit, and not just stumbling around like a normal user.

 

We are extremely grateful when we are contacted privately about possible security issues in our software.

Dam it lol helping WHM** if you was finding a few exploits doing a import, what would you do if you was just browsing it all, they just are full of exploits which is why we get all these patches lol, well got for me since I don't have it from the 1st.

[FRH Dave]

We hope to have something for you to test pretty soon Dave.

 

Good to hear!  The latest version of my current billing system broke all my product descriptions and is causing issues with some emails being sent.  I can't wait to get out of this spaghetti disaster.

[Michael]

Good to hear!  The latest version of my current billing system broke all my product descriptions and is causing issues with some emails being sent.  I can't wait to get out of this spaghetti disaster.

Yeah I heard on WHT a few people have that issue.

[Paul]

Good to hear!  The latest version of my current billing system broke all my product descriptions and is causing issues with some emails being sent.  I can't wait to get out of this spaghetti disaster.

 

Just attempting to populate some data into their system, we found a lot of weird bugs. I think there was one where you can add events to the calendar, but they don't appear on the calendar. Are you experiencing that one too? We checked the database and they were in there, so we know how to import them at least -- and they should then appear on the Blesta calendar. 

[FRH Dave]

Just attempting to populate some data into their system, we found a lot of weird bugs. I think there was one where you can add events to the calendar, but they don't appear on the calendar. Are you experiencing that one too? We checked the database and they were in there, so we know how to import them at least -- and they should then appear on the Blesta calendar. 

 

No, the calendar is not very helpful.  Their calendar doesn't have the ability to auto-populate events (create a "3-day customer followup with user ____" entry 3 days after service is activated, etc) so I've never touched it.

[Cody]

Good to see, based on the poll, that our users are overwhelmingly ethical.

[FRH Dave]

Any updates on this particular importer?

[Cody]

Any updates on this particular importer?

 

Might have something to test out this Friday.

[Biscuit1001]

Report it ethically, and document contact; then go public if, and only if, the exploit isn't patched, AND make that clear in your public disclosure.

 

That's the way it's always been done, that's the right way to do it, and I couldn't respect anyone going about it any other way than ethically.

 

I'm here as a prospective customer/refugee-from-the-name-that-shall-not-be-mentioned... but let me say this. I won't buy anything from a company who isn't ethical and I don't respect their practices. Think about it: not doing things "the right way" is what might sink that other ship. Don't be that guy.

[Paul]

You don't have to worry Biscuit1001, we work ethically.

[Biscuit1001]

Excellent... because I'm looking to jump off that (very possibly) sinking ship.

[Paul]

We submitted a responsible disclosure document to them today, all issues we found were confirmed to still be issues in their latest release. We'll see how they handle it.

[Michael]

We submitted a responsible disclosure document to them today, all issues we found were confirmed to still be issues in their latest release. We'll see how they handle it.

 

Probably not well, they'll leave it until they are exploited.

[MemoryX2]

We submitted a responsible disclosure document to them today, all issues we found were confirmed to still be issues in their latest release. We'll see how they handle it.

 

 

Probably not well, they'll leave it until they are exploited.

 

 

Does anyone wonder why we jumped ship? *hint* *hint* 

 

This seems to be happening almost weekly now... (refering to exploits, which you may not have even found I don't know but I do know their main priority is adding bugs not fixing them)

[Paul]

This seems to be happening almost weekly now... (refering to exploits, which you may not have even found I don't know but I do know their main priority is adding bugs not fixing them)

 

I think people are starting to realize that it's time to move on, and we're grateful for everyone that decides to make Blesta their billing application of choice.

[Daniel B]

I think people are starting to realize that it's time to move on, and we're grateful for everyone that decides to make Blesta their billing application of choice.

 

now if only I could get the dedicated server reseller program I want to use to integrate with Blesta instead of those other people...lol

[Cody]

We submitted a responsible disclosure document to them today, all issues we found were confirmed to still be issues in their latest release. We'll see how they handle it.

 

Well, it's been more than 2 weeks and still no patch from them.

 

I would think, given the severity of the issues we presented to them that they would have released a patch by now. Perhaps those 34 exploits have caused too much work for them?