Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Etomite followup information

from [security curmudgeon] Network Security [Permanent Link]
Subject: Etomite followup information
Date: Mon, 30 Jan 2006 17:15:07 -0500 (EST) 


---------- Forwarded message ----------
From: Rick Elnor
To: moderators@osvdb.org
Date: Sun, 29 Jan 2006 10:11:08 -0800
Subject: [OSVDB Mods] [Change Request] 22693: Etomite todo.inc.php cij Variable
    Arbitrary Command Execution

Hello,

I am Rick Elnor, the Etomite CMS security expert and owner ow Nixbased Security Consulting. I have noticed you reported the Etomite cij Variable Arbitrary Command Execution Vulnerability on your website. This information is not accurate.

Heres the truth: "The eto site got hacked - they downloaded the etomite v0.6.0 files, and implemented a security exploit into them on the 11th of January, and reuploaded to the eto server. They also did the same with the RC3 files.

The RTM files have been unaffected, as they are held on the secondary eto server.

If you downloaded Etomite v0.6.0 prior to the 10th of January, your etomite install is safe.
If you downloaded Etomite v0.6.0 or v0.6.1 RC3 after the 10th of January, your install may be compromised and you should upgrade to the RTM immediately.

The second issue (which we knew about from day 1) - which is now completely irrelevant anyway (they made the code look like the "phone home" feature of etomite which is why we thought the issues were related).
What the Phone Home feature does is phone home to the etomite server and tell us where you are running your etomite install ONLY if you untick the License Agreement box on the login page. THIS IS THE ONLY TIME v0.6.0 SENT US ANY DATA.

We no longer collect the data, as I have removed the datacollection script."

The above was posted as a forum message on the Etomite forums today at this location http://www.etomite.org/forums/index.php?showtopic=4291

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Etomite followup information, security curmudgeon <=
Previous by Date:  [ MDKSA-2006:027 ] - Updated gzip packages fix zgrep vulnerabilities, security
Next by Date:  Re: [Full-disclosure] ashnews Cross-Site Scripting Vulnerability, George A. Theall
Previous by Thread:  [ MDKSA-2006:027 ] - Updated gzip packages fix zgrep vulnerabilities, security
Next by Thread:  [Full-disclosure] Proof of concept for CommuniGate Pro Server vulnerability, Evgeny Legerov
Indexes:  [Date] [Thread] [Top] [All Lists]