PlunderHere and AlsoShop: A Web of Privacy Violations, Backstabbing, and Deceit

[regic]

why did you [TheTradersPost] choose a script with a history of security problems?
http://www.google.com/sea...6-26%2CGGGL%3Aen&sa=2

The scriptmaker hasn't fixed a security problem which the US Government's US-CERT rates as "High Risk"
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5122

The security alert was issued in September 2007.  Why didn't you check the script's history before you bought it?

Overview

SQL injection vulnerability in store_info.php in SoftBiz Classifieds PLUS allows remote attackers to execute arbitrary SQL commands via the id parameter.

Impact

CVSS Severity (version 2.0):
CVSS v2 Base score: 7.5 (High) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)
Impact Subscore: 6.4
Exploitability Subscore: 10.0

Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type: Provides unauthorized access, Allows partial confidentiality, integrity, and availability violation , Allows unauthorized disclosure of information , Allows disruption of service

Anybody with access to Google could find the instructions for hacking the script because it is on the first page of search results for "softbiz classifieds".  Didn't you notice that 4 of the 10 results on page one of a Google search for the script pertain to the script's security problems???

Softbiz Classifieds PLUS (id) Remote SQL Injection Vulnerability      Archive
Classifieds SQL INJECTION #### #### BY IRCRASH #### ##################################################################################### # # #AUTHOR ...
www.milw0rm.com/exploits/4457

If you haven't done so already, I'd immediately delete the affected store_info.php file from your server because anyone could use that exploit to take full control of your server and all of the sites and databases on it.  The exploit code has been available on the web for nearly 9 months and it is a really easy vulnerability to take advantage of  (hence the 10.0 exploitability subscore).

[BellisimaJ.]

xwpopper: I must have missed your response. Sorry.

Some of what you say is technically correct, however, id theft can be accomplished with the info on that site, and in fact, with less info.

Yes, many people permit easy access to that info, but that is their choice.

If you don't realize that you are putting yourself at risk , because the risks of a certain site owner's negligence have not been explained to you, that is not your choice.

Therein lies the difference.

[jezebel]

TTP
SSL: minor security problem
SQL injection vulnerability: major security problem from day 1

Why didn't you check the script's history before you bought it?

rule #1: check SecurityFocus, Secunia, OSVDB, Packet Storm, Us-Cert, etc before buying or installing any script
rule #2: never install a script hat has an unpatched vulnerability

[RiverRat]

TTP
SSL: minor security problem
SQL injection vulnerability: major security problem from day 1

Why didn't you check the script's history before you bought it?

rule #1: check SecurityFocus, Secunia, OSVDB, Packet Storm, Us-Cert, etc before buying or installing any script
rule #2: never install a script hat has an unpatched vulnerability

Lesson learned.  Problem removed and issue thereby resolved.

[BellisimaJ.]

Stupidity is its own punishment.

 

[justabella]

    PH...

The man behind the curtain is going to change scripts.......

[regic]

uh oh

[bargainbloodhound]

What I can tell you so far is this:

1) We know we can transfer:

User Database
Auctions
Images
Store items
Feedback

We cannot transfer stores however once auctions transfered over
you just 'open store' and click on which items you want to appear
in store with probid. Store names 'may' be able to be brought over
and definitely all store items can be imported as auctions.

We cannot transfer items into categories so what we would do is
have one category for all PH items and then you the user must
allocate one or two categories for your items.

What would we do in what order?

1) Very latest version is being released any day which we would
acquire and then test the databases prior to any moves.

2) Once done and we are happy we would add the required modifications
whilst applying new design.

3) After satisfactory stage 2 of testing we would need 2 days to move
over and activate new script fully. (approximately)

The probid script is very fast and efficient and very search engine friendly.
Also easy to maintain on server and to back up.

We will upgrade a few things this week on current site and attempt to fix
the bugs as I see a few other Rscript sites are also having some severe
issues with the script.

I will do everything I can to maintain the same feel of the current site with
only the updating of design but you will still have forums as they are but I
will be adding:

1) Blogs
2) IM (Internal messenging)
3) Classified area
4) Video uploading of auctions if you have a video
5) Better user verification systems

Plus a lot more

Will keep you informed as we move along as I seriously believe this is the only
option we have to survive the times ahead as carrying on like this will not be
an option.

I'm in agreement with Powerseller on phpProBid sites:

I would very very very strongly dislike it if the script were changed. I do not like phpprobid sites. I don't like the listing form, and they all have an unprofessional cookie cutter appearance to me. It's like 'you've seen one phpprobid site, you've seen two thousand of them'. I do like RScript very much which is one of the main reasons why I considered listing on PlunderHere to begin with. So my $0.02 is that I would HATE IT HATE IT HATE IT!

[amy]

There are a lot of complaints on the PH boards.  I don't think exchanging RScript's bugs for phpProBid's bugs is going to solve the real problem.

[PowerSeller]

There are a lot of complaints on the PH boards.  I don't think exchanging RScript's bugs for phpProBid's bugs is going to solve the real problem.

Yes, I think working through the problems would be far better than adding a whole new set of problems to the mix while wiping out some of what people like about PH now.  For PH's sake and Mark's sake, I honestly hope I'm wrong.

[regic]

This script 'Rscript' is very functional but very 'buggy' and this
cannot be helped as it is a natural occurrence with 'Perl type scripts.

Buggy scripts are a 'natural occurrence' when the scriptwriter is an incompetent idiot or sloppy programmer. RScript's bugs have nothing to do with the script being written in Perl.  The PHP language actually has more reported bugs, and security problems, than Perl because PHP is a newer language.  

We cannot transfer items into categories so what we would do is
have one category for all PH items and then you the user must
allocate one or two categories for your items.

translation: all 58,000 listings will need to be revised by sellers after the move

   This domain has just been registered for one of our customers!
Domain registration and webhosting at best prices.

When did Plunderhere.eu bite the dust?  Was any notice given of the site's closing?

[sneakymagenta]

The man behind the curtain is going to change scripts.......

 

Man the lifeboats!

[mandy]

When did Plunderhere.eu bite the dust?  Was any notice given of the site's closing?

It closed about 2 weeks ago:

An email was sent out as the site is going to be redone soon
but not sure everybody got the email as a few have contacted
me saying they did not get it.

We hope to have it back up soon and it will still be free for users
after the modifications have been added.

There really is not many auctions running on there but we will advise
as soon as we relaunch it.

http://www.plunderhere.co...ums/showthread.php?t=9630

[BellisimaJ.]

The man behind the curtain is going to change scripts.......

 

Man the lifeboats!

 

[xwpopper]

If any PH members want to know what will happen when the script changes over, it looks like Ray may have been chartered to handle the switch since he and Mo's resident "moron" can't handle the site.
http://probid.alsoshop.com/index.php?

All products will be in the same category when it is done. If it is handled correctly, the images should transfer smoothly, but have you ever tried to transfer 100K images? There will be timeouts and overloads (with the sorry PH server) and broken image files. Then, there will be those who have thousands of products listed to edit, one by one, at the same time as hundreds of other sellers. That will likely cause all kind of chaos in the database, to have in a few days, every seller change their categories, edit payment, shipping, often the description (since Probid works much differently with templates) and adds all their new features like swaps, offers, and videos. That should basically kill the site.

PS is making sense about the change, and no one seems to understand what she is saying. It seems like any cause she is fighting for, even the good ones like this, she ends up alone.

Mark has never run a site with this many listings. He already screwed up the server move royally for 2 months, and there are still prblems, but it really didn't require much skill. Now, PH members are going to trust him with a move that actually requires some skill?

[Tags:]

Jump to: Please select a destination: ----------------------------- TulipTools Announcements and News ----------------------------- => TulipTools Announcements and News ===> Suggestions, Bug Reports, etc ----------------------------- Advertising, Affiliates, and Marketing ----------------------------- => Advertising, Affiliates, and Marketing Discussion ===> Web Site Revenues: Advertising, Affiliate Programs, and Marketing for Site Owners =====> Affiliate Programs for Publishers =======> Amazon Affiliates =======> Commission Junction =====> Google AdSense =====> Other Ad Networks =====> PayPerClick Networks =====> Yahoo Publisher Network =====> Affiliate Program Announcements =====> General Advertising, Affiliates, and Marketing for Site Owners ===> Advertising and Marketing Your Product, Service, or Web Site =====> Affiliate Programs for Advertisers =======> Affiliate Networks =======> Affiliate Program Software =====> Email Campaigns and Newsletters =====> Google AdWords =====> Microsoft AdCenter =====> Offline Advertising and Marketing =====> Other Online Advertising and Marketing Techniques =====> Pay Per Click Networks For Advertisers =====> Yahoo Publisher Network for Advertisers =====> Advertising, Affiliates, and Marketing Announcements =====> General Advertising and Marketing Discussion ----------------------------- Blogs and Blogging, Web 2.0 ----------------------------- => Blogs and Blogging, Web 2.0 ===> Blog Networks =====> Entrecard ===> Blog Software ===> Free Blog Hosting Services ===> Blog Link Exchange ===> Community Building and Social Networking =====> Facebook =====> LinkedIn =====> MySpace ===> Podcasting ===> RSS Feeds ===> Social Bookmarking =====> Digg ===> Wikis =====> Wikipedia ===> Blogging and Web 2.0 Announcements ===> General Blogs, Blogging, and Web 2.0 Discussion ----------------------------- Computer Hardware, Networking, and Gaming ----------------------------- => Computer Hardware and Equipment, Networking, and Gaming ===> Computer Accessories ===> Computer Gaming ===> Computer Hardware ===> Desktop and Laptop Systems ===> Hardware Technical Support ===> Networking and Servers ===> Computer Hardware and Services Announcements ===> General Computer Hardware Discussion ----------------------------- Domain Names ----------------------------- => Domain Names ===> Domain Name Appraisals ===> Domain Brokerages and Auctions ===> Domain Name Development ===> Domain Name Legal Issues ===> Domain Names Registration and Registrars ===> Domain Name Reselling