I want to publically convey my disgust with the VHCS v2.4.7.1 Pro project. Anyone considering using this should go find another project. I will detail my reasons below, but the overall message is DO NOT USE VHCS.
First of all lets take a stroll down memory lane encompassing the last six months and my trouble with VHCS. Below are previous blog posts about my trouble with a huge VHCS v2.4.7.1 Pro security issue that nobody has done anything about.
May 7, 2006: Server rebuilt after being hacked
July 29, 2006: Hacked Again
July 30, 2006: Hacked Site
August 15, 2006: Hacked again, had gone unnoticed for about a week
There is a very easy to find VHCS v2.4.7.1 Pro exploit page that allows you to create an admin user on ANY VHCS v2.4.7.1 Pro (or earlier) system. The security hole is so huge that a simple javascript attack based in an html form will give complete access to any VHCS v2.4.7.1 Pro or earlier system. The only thing you need to know to take over control of a machine is the URL. (note: I have decided to omit the link to the exploit. I don’t mean to spread cracking tools, my main purpose is to point out the reason not to use VHCS.)
VHCS is vulnerable up to & including the latest VHCS v2.4.7.1 Pro. There has been no updates or work on this issue that I can find in the last six months! The developers are very aware of this issue and have done nothing to fix it! I have posted on their forums and contacted them directly, as have other people in the community, and nothing has been done! The latest news I can find on the VHCS site is about the pending 3.0 release, but that is also a dated post & no work has been done to release a security fix.
A writeup about the vulnerability, how it works & details on the lack of updating can also be found at: http://www.rs-labs.com/adv/RS-Labs-Advisory-2006-1.txt Below is an excerpt from the advisory.
.: [ HISTORY ]
* 19/Jan/2006: - I discovered bug #1 on VHCS 2.4.6.2 while evaluating the software.
- Asked for VHCS security contact.
- Alexander Kotov contacted.
* 20/Jan/2006: - I noticed the bug was fixed in 2.4.7.1 (although it was hard to detect because
vendor -one more time- did not clearly announce it on its main page).
* 05/Feb/2006: - VHCS security patch v.1 was released.
* 07/Feb/2006: - I noticed the patch release and reviewed it.
- Bugs #1 and #2 reported to vendor. At the same time, public
disclosure (because the impact was *minimum*: affected users
were indeed only the people who installed the buggy security
patch; furthermore, to be "infected" they first should have
noticed the patch release and have time to install it. First
condition is difficult to comply with, given that vendor
doesn't have any announce mailing-list).
- Vendor got angry due to public disclosure (it breaks its
security-by-obscurity policy) and refused to give any detail
to public mailing-lists neither privately to me.
- Moreover, vendor began insulting me and other VHCS users who
asked for clarifications about the security patch.
- I decided not to talk to that vendor anymore. This includes
stopping the reporting of security bugs to them. This advi-
sory will NOT be the exception.* 08/Feb/2006: - I found bugs #3 and #4. I also built the exploit for them [3].
* 11/Feb/2006: - Advisory released.
DO NOT USE VHCS v2.4.7.1 Pro – DO NOT USE VHCS v2.4.7.1 Pro
if you want to use it you should customize it, to cover all the security holes. 😉 i find it quite simple to correct the code. hint: find a php programmer with some server administration skills.
VHCS don’t even host a forum now. So sad…
Can you advise a replacement of VHCS?
Go for SysCp instead of VHCS
I found major SQL injection paths in VHCS back in 2005. The developers accepted my patches, but didn’t seem to quite grasp the severity of the issue (my initial bug report was downgraded) until I submitted an exploit to SecurityTracker, then they became very eager to understand the issue. I spent an entire weekend changing literally hundreds of lines of code to force their SQL through a common function that properly sanitized and escaped their queries. I submitted this and was rewarded with complaints that a couple of pages no longer functioned. I checked and I’d omitted a semicolon on those pages. Nevermind that I had warned them about the rush job I’d done and that they’d need to review all the functionality since I didn’t use all of it myself.
Anyway, I was left with a bad taste about both their attention to security and their rather unwelcome response to my initial bug report. I avoid them now. It’s too bad since it’s a rather nice interface.
http://securitytracker.com/id/1013703
Pingback: VHCS VM – Virtual Hosting Server with an Open Source Control (VM « Hutchison Chiropractic Center