resellerzoom - doesn't care about security? - Knowledgebase

Portal Home > Knowledgebase > Articles Database > resellerzoom - doesn't care about security?

resellerzoom - doesn't care about security?

Posted by alphamagic, 03-15-2005, 04:13 PM
I've reported to hostingzoom/resellerzoom support that mysqld on their server is old and vulnerable. ANY users can read/write ANY database when following simple instructions available in public. They said the ticket forwarded to system administrator, but now it's been 3 days since and no response whatsoever. ANY users can still read/write my (critical?) databases. I hope this thread will make things happen faster. But really it's bad practice when user have to post here because of lack of response from that side. To resellerzoom: please upgrade to MySQL 4.0.24 ASAP. Why: www [.] securityfocus [.] com/bid/12781/discussion/
Posted by ioZoom, 03-15-2005, 09:45 PM
Hello, You sent it over the weekend and our senior admin is off those days. He is still looking into it at this time. If there is an issue, cPanel will of released an update by now. We can update MySQL but it can cause problems and cPanel will overwrite the version with the daily update. We can see about upgrading it w/o cPanel overwriting it but we have to ensure it will not break any of the other software/MySQL in general if we do. To say we don't care about security is false as security is the most important thing to us. You can expect a reply after he has fully investigated the vulnerability.
Posted by alphamagic, 03-15-2005, 10:57 PM
ok, lets wait and see how fast this critical hole will be fixed. AFTER posting on WHT. I wouldn't count on cPanel, they are not security company, they have nothing to do with mysql. From your words I can tell that you don't look into security mailing lists, but only cPanel updates? You should really subscribe to few maillists as you have very many ppl rely on you with their clients. btw, I didn't said you don't care about security, that was a question.
Posted by ioZoom, 03-15-2005, 11:49 PM
It doesn't get any faster just because it's posted on WHT. We already got your request but as I said it was over the weekend and our senior admin doesn't work those days. He has been looking into it and still looking into it. He doesn't spend every working hour looking into it obviously unless he feels it's very urgent as there are other issues to take care of. Things don't just get upgraded because you tell us there is a vulnerability. It takes time to investigate the issue which is what's being done. I wouldn't either but I can guarantee you if there was a huge vulnerability issue, the users of cpanel will already be talking about it. You are right, I dont subscribe to any security lists. I don't even pay attention to cpanel updates. I employ 8 admins and techs to do that. Currently, my senior admin is looking into it so it is being taken seriously. I don't know if you are expecting us to just go in and upgrade it instantly or whatever but you can rest assured we take vulnerabilities very seriously. Just because you don't get a response right away does not mean we don't listen or care. These types of issues take lots of time to investigate.
Posted by alphamagic, 03-16-2005, 12:10 AM
That's mean it's not urgent? Any user can delete all your databases if he wants to. If it's not urgent I dont know what urgent is :/ I would appreciate if you explain "looking into it". I have few servers myself and to upgrade mysql you need: download source compile install that's it. "looking into it" just sounds like standart tech support answer, dont you think? These types of issues must be addressed urgently, it's security issues. What sort of investigation you talking about? To confirm the issues exist? that's easy and may take 10 mins: www [.] securityfocus [.] com/bid/12781/exploit/ you can also check changelog of mysql: dev [.] mysql [.] com/doc/mysql/en/news-4-0-24.html ---------------------------------------------- Sometimes your service is just great. But sometimes you just missing very important things to keep you on top of the list.
Posted by ioZoom, 03-16-2005, 02:38 AM
There are many things closely tied into the cPanel backend and some things we don't have control over such as the version it uses and can cause things to break. Also, all cPanel servers that use 4.0.xx have this same issue (thousands of servers). We are not being irresponsible by being aware of the fact that cPanel will overwrite the version on the nightly updates. We also have the servers configured to prevent many exploits and there was no evidence this was an issue on our servers. Regardless, we've updated MySQL and will disable the cPanel auto-update to prevent it from overwriting the version and re-enable that feature only if there's a critical update for cPanel itself or something that requires us allowing cPanel to update some software due to the relationship with cPanel. I'm not aware of one out of the many thousands of cPanel servers that had this exploit run on successfully (not that I'm saying it can't be). Being able to view other user's databases is not the same as being able to modify or drop the databases. Some things that affect other hosts may not affect us due to security implementations and configurations that are not default/standard. We are willing and do make efforts to ensure the systems remain up to date and secure, and while some notices may claim there's an exploit or issue, the software versions often contain sub version's that are actually patched.
Posted by alphamagic, 03-16-2005, 05:10 AM
Thank you! Everything is great now.
Posted by Shaw Networks, 03-20-2005, 08:57 PM
Does posting publicly that your web host runs an older exploitable version of MySQL make your website any safer? Do you care about server security?
Posted by alphamagic, 03-20-2005, 09:06 PM
IncognitoNetworks, you can not argue with the results. 12 hours after posting here and everything great and secure. I've spent 3 days, trying to convince them with this problem. so I don't see any point posting in this thread anymore. problem solved.
Posted by ldcdc, 03-20-2005, 09:30 PM
Thus thread closed. IncognitoNetworks, I suggest you stop bringing up threads that are relatively old and have run their course. If you have plenty of free time and feel the need to post more, there's always something to talk about in the lounge. Thank you.