PlunderHere and AlsoShop: A Web of Privacy Violations, Backstabbing, and Deceit

[BellisimaJ.]

[quote author=sneakymagenta link=topic=9139.msg70820#msg70820 date=1213647326]

[/quote]

[RiverRat]

[quote author=BellisimaJ. link=topic=9139.msg71113#msg71113 date=1215383578]
What's the TTP?
[/quote]

The Traders Post

[BellisimaJ.]

Thanks, Rat. Sorry, but I agree with Sneaky. Really, if you can't put an SSL on the site, you need a new site because you are putting your users at risk.

Do they even know that you don't have an SSL?

[sneakymagenta]

Easy solution to the PHTheTradersPost negativity you keep reading on 'other forums'...quit giving us something to talk about!
Fix the SSL and quit lying every time you open your mouth (or touch your keyboard).

This isn't a game.  You are responsible for the businesses of several hundred people.  Start acting like it!

We've never made any bones about not having SSL on TTP, Sneaky.
As we stated when we first opened it, we are still trying to resolve that issue.  The script is completely encrypted and there is no way for US to change it due to the encryption.

The irony of the hypocritical rants made by some folks when Plunderhere didn't have an SSL is unbelievable.

I have an idea - write off your megahuge $99 investment in the Softbiz Online Classifieds PLUS boxed script you're using and buy a new secure script that won't put the users of TheTradersPost.com at the mercy of identity thieves.   You should have changed scripts when you discovered the problem BEFORE you opened the site.  You shouldn't  have opened without having a secure login in place.

[BellisimaJ.]

$99? What are you......taking lessons from Ray??? How could you do that to your users after going after Ray for all tthose months? That's disgusting!!

[BellisimaJ.]

The irony of the hypocritical rants made by some folks when Plunderhere didn't have an SSL is unbelievable.

I have an idea - write off your megahuge $99 investment in the Softbiz Online Classifieds PLUS boxed script you're using and buy a new secure script that won't put the users of TheTradersPost.com at the mercy of identity thieves.  You should have changed scripts when you discovered the problem BEFORE you opened the site.  You shouldn't  have opened without having a secure login in place.

[sneakymagenta]

why did you [TheTradersPost] choose a script with a history of security problems?
http://www.google.com/search?q=secunia+a...lassifieds&btnG=Search&hl=en&c2coff=1&safe=off&rls=GGGL%2CGGGL%3A2006-26%2CGGGL%3Aen&sa=2

The scriptmaker hasn't fixed a security problem which the US Government's US-CERT rates as "High Risk"
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5122

The security alert was issued in September 2007.  Why didn't you check the script's history before you bought it?

Overview

SQL injection vulnerability in store_info.php in SoftBiz Classifieds PLUS allows remote attackers to execute arbitrary SQL commands via the id parameter.

Impact

CVSS Severity (version 2.0):
CVSS v2 Base score: 7.5 (High) (AV:N/AC:L/Au:N/C/I/A) (legend)
Impact Subscore: 6.4
Exploitability Subscore: 10.0

Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type: Provides unauthorized access, Allows partial confidentiality, integrity, and availability violation , Allows unauthorized disclosure of information , Allows disruption of service

Anybody with access to Google could find the instructions for hacking the script because it is on the first page of search results for "softbiz classifieds".  Didn't you notice that 4 of the 10 results on page one of a Google search for the script pertain to the script's security problems???

Softbiz Classifieds PLUS (id) Remote SQL Injection Vulnerability      Archive
Classifieds SQL INJECTION #### #### BY IRCRASH #### ##################################################################################### # # #AUTHOR ...
www.milw0rm.com/exploits/4457

[RiverRat]

[quote author=sneakymagenta link=topic=9139.msg71117#msg71117 date=1215384326]

Easy solution to the PHTheTradersPost negativity you keep reading on 'other forums'...quit giving us something to talk about!
Fix the SSL and quit lying every time you open your mouth (or touch your keyboard).

This isn't a game.  You are responsible for the businesses of several hundred people.  Start acting like it!

We've never made any bones about not having SSL on TTP, Sneaky.
As we stated when we first opened it, we are still trying to resolve that issue.  The script is completely encrypted and there is no way for US to change it due to the encryption.

The irony of the hypocritical rants made by some folks when Plunderhere didn't have an SSL is unbelievable.

I have an idea - write off your megahuge $99 investment in the Softbiz Online Classifieds PLUS boxed script you're using and buy a new secure script that won't put the users of TheTradersPost.com at the mercy of identity thieves.   You should have changed scripts when you discovered the problem BEFORE you opened the site.  You shouldn't  have opened without having a secure login in place.


[/quote]

Yep it's a cheap ass script.  Never pretended it was anything different...or did you miss those posts too?

Question...why are you just now bringing up the SSL issue?  Didn't you care about anyone's security on there before now?

[sneakymagenta]

Question...why are you just now bringing up the SSL issue?  Didn't you care about anyone's security on there before now?

Yet another Ebay alternative owner trying to pass the blame to others for their own boinkups.  Did you learn that trick from Ray Romeo?  He excels at never accepting responsibilty,

It's the site owner's responsibility to provide users with a safe secure site. It's the site owner's responsibility to check for security vulnerabilities and install SSL certificates. The blame for the failure to do that for the past 6 months falls entirely on YOU, not on users or the script writer or OAI forum posters.

[RiverRat]

[quote author=sneakymagenta link=topic=9139.msg71127#msg71127 date=1215390767]

Question...why are you just now bringing up the SSL issue?  Didn't you care about anyone's security on there before now?

Yet another Ebay alternative owner trying to pass the blame to others for their own boinkups.  Did you learn that trick from Ray Romeo?  He excels at never accepting responsibilty,

It's the site owner's responsibility to provide users with a safe secure site. It's the site owner's responsibility to check for security vulnerabilities and install SSL certificates. The blame for the failure to do that for the past 6 months falls entirely on YOU, not on users or the script writer or OAI forum posters.

[/quote]

Sneaky, I don't believe I was 'blaming' anyone.  Just stating facts. 

Did you take it I was blaming you?  I simply asked why you waited until now to mention the SSL seeing as how you've known about the site all along and typically you bring things like this to everyone's attention as soon as you discover it.  I was just curious as to what sparked your ire about it today.

I'm not sure what your recent vendetta against Joe and me (particularly me it seems) is, nor do I care.  I do find it hard to believe it's simply over the few things you've posted about though.

Either way...TTP is no longer an issue and neither is your apparent distaste for me...at least not as far as I'm concerned.