VHCS v2.4.7.1 Pro – DO NOT USE

I want to publically convey my disgust with the VHCS v2.4.7.1 Pro project. Anyone considering using this should go find another project. I will detail my reasons below, but the overall message is DO NOT USE VHCS.

First of all lets take a stroll down memory lane encompassing the last six months and my trouble with VHCS. Below are previous blog posts about my trouble with a huge VHCS v2.4.7.1 Pro security issue that nobody has done anything about.
May 7, 2006: Server rebuilt after being hacked

July 29, 2006: Hacked Again

July 30, 2006: Hacked Site

August 15, 2006: Hacked again, had gone unnoticed for about a week

There is a very easy to find VHCS v2.4.7.1 Pro exploit page that allows you to create an admin user on ANY VHCS v2.4.7.1 Pro (or earlier) system. The security hole is so huge that a simple javascript attack based in an html form will give complete access to any VHCS v2.4.7.1 Pro or earlier system. The only thing you need to know to take over control of a machine is the URL. (note: I have decided to omit the link to the exploit. I don’t mean to spread cracking tools, my main purpose is to point out the reason not to use VHCS.)

VHCS is vulnerable up to & including the latest VHCS v2.4.7.1 Pro. There has been no updates or work on this issue that I can find in the last six months! The developers are very aware of this issue and have done nothing to fix it! I have posted on their forums and contacted them directly, as have other people in the community, and nothing has been done! The latest news I can find on the VHCS site is about the pending 3.0 release, but that is also a dated post & no work has been done to release a security fix.

A writeup about the vulnerability, how it works & details on the lack of updating can also be found at: http://www.rs-labs.com/adv/RS-Labs-Advisory-2006-1.txt Below is an excerpt from the advisory.

.: [ HISTORY ]

* 19/Jan/2006: - I discovered bug #1 on VHCS 2.4.6.2 while evaluating the software.

- Asked for VHCS security contact.

- Alexander Kotov contacted.

* 20/Jan/2006: - I noticed the bug was fixed in 2.4.7.1 (although it was hard to detect because

vendor -one more time- did not clearly announce it on its main page).

* 05/Feb/2006: - VHCS security patch v.1 was released.

* 07/Feb/2006: - I noticed the patch release and reviewed it.

- Bugs #1 and #2 reported to vendor. At the same time, public
disclosure (because the impact was *minimum*: affected users
were indeed only the people who installed the buggy security
patch; furthermore, to be "infected" they first should have
noticed the patch release and have time to install it. First
condition is difficult to comply with, given that vendor
doesn't have any announce mailing-list).
- Vendor got angry due to public disclosure (it breaks its
security-by-obscurity policy) and refused to give any detail
to public mailing-lists neither privately to me.
- Moreover, vendor began insulting me and other VHCS users who
asked for clarifications about the security patch.
- I decided not to talk to that vendor anymore. This includes
stopping the reporting of security bugs to them. This advi-
sory will NOT be the exception.

* 08/Feb/2006: - I found bugs #3 and #4. I also built the exploit for them [3].

* 11/Feb/2006: - Advisory released.

DO NOT USE VHCS v2.4.7.1 Pro – DO NOT USE VHCS v2.4.7.1 Pro