Is your NATS hacked ?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • SmokeyTheBear
    ►SouthOfHeaven
    • Jun 2004
    • 28609

    #1

    Is your NATS hacked ?

    are there any nats sponsors who havent been compromised ?

    seems like every sponsor who has commented has been compromised, just curious as to if anyone who runs nats that didn't get compromised by a nats employee's user/pass
    hatisblack at yahoo.com
  • sicone
    Retired
    • Jan 2004
    • 18453

    #2
    I find it odd that NATs insists on having admin access...


    Doesn't NATs also own a pay site program (Teen Dolls)? Would seem to me that having a free list of verified emails of people who are willing to pull out their CC to join a site would be of great value to them.

    Not accusing them of anything, just some food for thought

    Comment

    • teksonline
      So Fucking Banned
      • Jan 2005
      • 2904

      #3
      hrmph, im hungry

      Comment

      • iMind
        Confirmed User
        • Nov 2007
        • 937

        #4
        Originally posted by sicone
        I find it odd that NATs insists on having admin access...


        Doesn't NATs also own a pay site program (Teen Dolls)? Would seem to me that having a free list of verified emails of people who are willing to pull out their CC to join a site would be of great value to them.

        Not accusing them of anything, just some food for thought
        threats of lawsuit in 10, 9 , 8 , 7 ...

        Comment

        • SmokeyTheBear
          ►SouthOfHeaven
          • Jun 2004
          • 28609

          #5
          i find it odd they would allow an employee one user/pass to get into every nats sponsor.

          i find it doubly odd that nobody from nats noticed this account had been compromised before it was posted on gfy.

          I find it even more strange that there are not any security measures in place that would have spotted this ( i.e. hourly logins from the same employee on almost every nats sponsor so far ) in laymans terms how an employye could log into several nats sponsors at the same time using the same account.

          shouldn't any of these things raised more than 1 red flag ?

          as far as affiliates are concerned , should we be worried we will now become targets of identity theft ? what plans does nats have on informing affiliates who's information might have been disclosed.

          what information can any sponsors provide that might shed some light on what information is available to the nats employee's account that was used to login ? ( i.e. ss#'s ? passwords ? )
          hatisblack at yahoo.com

          Comment

          • sicone
            Retired
            • Jan 2004
            • 18453

            #6
            sue for what.. pointing out the obvious conflicts of interest.

            hope you didnt pay much for your law degree

            Comment

            • OzMan
              Confirmed User
              • Sep 2003
              • 9162

              #7
              shit waddeye miss? ... time to search

              Comment

              • Headless
                Registered User
                • Jan 2001
                • 26727

                #8

                Comment

                • SmokeyTheBear
                  ►SouthOfHeaven
                  • Jun 2004
                  • 28609

                  #9
                  Originally posted by OzMan
                  shit waddeye miss? ... time to search
                  a nats employee's username was used to login and most likely steal information from quite a few nats sponsors. infact theres only one sponsor i have heard of using nats that hasn't been compromised , and only because they manually disabled nats employees from logging onto their server
                  hatisblack at yahoo.com

                  Comment

                  • Gordon G
                    So Fucking Banned
                    • May 2006
                    • 646

                    #10
                    Originally posted by Headless
                    My god you are such a fucking idiot.

                    Comment

                    • spacedog
                      Yes that IS me. Bitch.
                      • Nov 2001
                      • 14149

                      #11
                      Originally posted by SmokeyTheBear
                      a nats employee's username was used to login and most likely steal information from quite a few nats sponsors. infact theres only one sponsor i have heard of using nats that hasn't been compromised , and only because they manually disabled nats employees from logging onto their server

                      A nats employee who last posted on the Nats board in August but then started posting elsewhere looking for freelance jobs in September?????

                      Comment

                      • Gordon G
                        So Fucking Banned
                        • May 2006
                        • 646

                        #12
                        why anyone uses nats is beyond me

                        Comment

                        • SmokeyTheBear
                          ►SouthOfHeaven
                          • Jun 2004
                          • 28609

                          #13
                          i wonder how many affiliates who used nats sponsors had their epassporte accounts stolen thru info obtained from this compromise ? it would explain the rash of epassporte thefts.
                          hatisblack at yahoo.com

                          Comment

                          • spacedog
                            Yes that IS me. Bitch.
                            • Nov 2001
                            • 14149

                            #14
                            Originally posted by SmokeyTheBear
                            i wonder how many affiliates who used nats sponsors had their epassporte accounts stolen thru info obtained from this compromise ? it would explain the rash of epassporte thefts.
                            Not likely. Programs don't ask for your epass password.

                            Gotta be a real fucking idiot to be using same password everywhere in first place.

                            Comment

                            • wtfent
                              Confirmed User
                              • Nov 2003
                              • 3790

                              #15
                              Originally posted by sicone
                              I find it odd that NATs insists on having admin access...


                              Doesn't NATs also own a pay site program (Teen Dolls)? Would seem to me that having a free list of verified emails of people who are willing to pull out their CC to join a site would be of great value to them.

                              Not accusing them of anything, just some food for thought
                              Why the hell would they do that? So they can make a quick $10,000 and loose out on the millions they will make in the future with nats? I buy trials every now and then and if i saw them spamming me with their sites I think it would make for pretty huge drama that would spread within a week max. The Nats guys are all stand up guys.
                              ThisWillShockYou.com DVD Store - TWSY UNCENSORED
                              ICQ# 194020367 E-mail: shockingbucks(AT)gmail.com
                              Promote something different!! Shocking Bucks

                              Comment

                              • SmokeyTheBear
                                ►SouthOfHeaven
                                • Jun 2004
                                • 28609

                                #16
                                Originally posted by spacedog
                                Not likely. Programs don't ask for your epass password.

                                Gotta be a real fucking idiot to be using same password everywhere in first place.
                                do you think it would be easier to hack an epassporte account knowing all their personal information ?

                                also take into account that many sponsors created the epassporte accounts for their affiliates ( perhaps with the affiliates current password )

                                now obviously using shared passwords is a big no-no but thats beside the point. ideally everyone should have a deadbolt on their door , but i would think if your locksmith's key was used to get in you first look at the locksmith
                                hatisblack at yahoo.com

                                Comment

                                • AlienQ - BANNED FOR LIFE
                                  best designer on GFY
                                  • Mar 2003
                                  • 30307

                                  #17
                                  Stats and client information are the most coveted of things a program owner can have. Why people that use NATS chose NATS is pure stupidity.

                                  I said it 3 years ago and I am still saying it.
                                  People called me an idiot then, and will probably call me an idiot now for saying so...

                                  And to this day I still say I told ya so.
                                  No sympathy from me.

                                  Dumb is dumb.

                                  Comment

                                  • iMind
                                    Confirmed User
                                    • Nov 2007
                                    • 937

                                    #18
                                    Originally posted by sicone
                                    sue for what.. pointing out the obvious conflicts of interest.

                                    hope you didnt pay much for your law degree
                                    I was referring to John from nats, How he starts threatening lawsuits and using legal jargon to try and shut people up.

                                    Comment

                                    • Gordon G
                                      So Fucking Banned
                                      • May 2006
                                      • 646

                                      #19
                                      Originally posted by iMind
                                      I was referring to John from nats, How he starts threatening lawsuits and using legal jargon to try and shut people up.
                                      John and lawsuits have a ring to it lol

                                      Comment

                                      • SmokeyTheBear
                                        ►SouthOfHeaven
                                        • Jun 2004
                                        • 28609

                                        #20
                                        Originally posted by AlienQ
                                        Stats and client information are the most coveted of things a program owner can have. Why people that use NATS chose NATS is pure stupidity.

                                        I said it 3 years ago and I am still saying it.
                                        People called me an idiot then, and will probably call me an idiot now for saying so...

                                        And to this day I still say I told ya so.
                                        No sympathy from me.

                                        Dumb is dumb.
                                        yer freakin nostradamus

                                        i think many sponsors use nats because

                                        A) its pretty easy
                                        B) alot of other sponsors use it so for affiliates its easy to navigate.

                                        those arent of course very good reasons , but understandable anyways.

                                        having a standard sponsor software will always lead to troubles when you have a compromise like this .
                                        hatisblack at yahoo.com

                                        Comment

                                        • iMind
                                          Confirmed User
                                          • Nov 2007
                                          • 937

                                          #21
                                          Originally posted by SmokeyTheBear
                                          yer freakin nostradamus

                                          i think many sponsors use nats because

                                          A) its pretty easy
                                          B) alot of other sponsors use it so for affiliates its easy to navigate.

                                          those arent of course very good reasons , but understandable anyways.

                                          having a standard sponsor software will always lead to troubles when you have a compromise like this .
                                          Alienq invented hacking nats

                                          Comment

                                          • JOKER
                                            Facit Omnia Voluntas
                                            • Apr 2003
                                            • 2105

                                            #22
                                            Originally posted by SmokeyTheBear
                                            do you think it would be easier to hack an epassporte account knowing all their personal information ?

                                            also take into account that many sponsors created the epassporte accounts for their affiliates ( perhaps with the affiliates current password )

                                            now obviously using shared passwords is a big no-no but thats beside the point. ideally everyone should have a deadbolt on their door , but i would think if your locksmith's key was used to get in you first look at the locksmith
                                            Right on the fucking money.

                                            Remember the TrafficHangar incident and how many have been affected?

                                            Didnt see this thread at first, sorry...

                                            Posted something similiar here as well:

                                            http://www.gofuckyourself.com/showpo...&postcount=184
                                            Facilitation - BizDev - Traffic - Consulting - Marketing
                                            Skype: jokerempire | Silent Circle: joker

                                            Comment

                                            • SmokeyTheBear
                                              ►SouthOfHeaven
                                              • Jun 2004
                                              • 28609

                                              #23
                                              seems like a few sponsors would be glad to pipe in that their nats wasnt hacked unless everyone was hacked except those that banned nats employees access.
                                              hatisblack at yahoo.com

                                              Comment

                                              • V_RocKs
                                                Damn Right I Kiss Ass!
                                                • Nov 2003
                                                • 32449

                                                #24
                                                Epassporte hacks are usually someone using their Epassporte account password as their affiliate account password. The affiliate Db gets hacked and the hacker just has to trial and error his way through the DB...

                                                Instant cash.

                                                Then see where you bank if you are one of the wires types and use your password there too. Again.. easy money. Especially if the hacker can gain access to an account as the same bank... Transfer all your money with a few clicks...

                                                Of course, every time this happens the guy who got fucked in the ass says he didn't use the same password. Yeah... Way to save face pall.. We all know you did. No use lying about it!

                                                Comment

                                                • Brad Mitchell
                                                  Confirmed User
                                                  • Nov 2001
                                                  • 9813

                                                  #25
                                                  Originally posted by JOKER | JOKEREMPIRE Inc.
                                                  Right on the fucking money.

                                                  Remember the TrafficHangar incident and how many have been affected?

                                                  Didnt see this thread at first, sorry...

                                                  Posted something similiar here as well:

                                                  http://www.gofuckyourself.com/showpo...&postcount=184
                                                  oh jesus christ does NATS really store the affiliate passwords in plain text for an admin access user to view? Tell me that's not true. Please, really. Can anyone confirm?

                                                  Brad
                                                  President at MojoHost | brad at mojohost dot com | Skype MojoHostBrad
                                                  71 industry awards for hosting and professional excellence since 1999

                                                  Comment

                                                  • SmokeyTheBear
                                                    ►SouthOfHeaven
                                                    • Jun 2004
                                                    • 28609

                                                    #26
                                                    Originally posted by V_RocKs
                                                    Epassporte hacks are usually someone using their Epassporte account password as their affiliate account password. The affiliate Db gets hacked and the hacker just has to trial and error his way through the DB...

                                                    Instant cash.
                                                    i dont know about usally but i'm sure it happens this way quite often , but prob just as often it is other things further down the line , like once they know your epass account name = (affilid+sponsorname) + users real email they have ALOT more to go on even if the passwords are different ( besides having all your personal info needed to steal your identity )

                                                    gotta wonder how the "head programmer" of nats lost his password

                                                    you would think that would be a pretty important password to lose when it means you can backdoor every nats sponsor and walk away with a kings ransom in data.

                                                    you would also think it would be a pretty hard thing to miss for so long , the head programmers master backdoor is compromised and nobody notices a thing .
                                                    hatisblack at yahoo.com

                                                    Comment

                                                    • rowan
                                                      Too lazy to set a custom title
                                                      • Mar 2002
                                                      • 17393

                                                      #27
                                                      Originally posted by Brad Mitchell
                                                      oh jesus christ does NATS really store the affiliate passwords in plain text for an admin access user to view? Tell me that's not true. Please, really. Can anyone confirm?
                                                      Even if it's not plain text, it wouldn't take too long to brute force crack some common passwords such as 'coffee' or '12345'. As a bonus, they're probably the most likely people to use the same pass everywhere.

                                                      Comment

                                                      • D
                                                        Confirmed User
                                                        • Jan 2006
                                                        • 7412

                                                        #28
                                                        So, what I'm hearing is anyone using NATS who didn't disable TMM's access to their servers has the personal information of their entire user-base and affiliate-base compromised?

                                                        Last edited by D; 12-21-2007, 10:35 PM.
                                                        -D.
                                                        ICQ: 202-96-31

                                                        Comment

                                                        • milan
                                                          Confirmed User
                                                          • May 2005
                                                          • 800

                                                          #29
                                                          Originally posted by D
                                                          So, what I'm hearing is anyone using NATS who didn't disable TMM's access to their servers has the personal information of their entire user-base and affiliate-base compromised?

                                                          Exactly!
                                                          QuadraNET - ICQ:2222 15312 - milan [nosp@m] QuadraNET.com
                                                          24/7 "REALLY ON-SITE" Support - Completely Premium Network
                                                          Public & Private Network, Remote Reboot, Private VLANs
                                                          99.99% Guaranteed Network Uptime / BGP4 Multihomed
                                                          24/7 LIVE CHAT, Phone and Ticket Support
                                                          1-888-5-QUADRA

                                                          Comment

                                                          • Nails
                                                            Confirmed User
                                                            • Jun 2007
                                                            • 262

                                                            #30
                                                            Sounds like someone should be sueing Nats right about now.

                                                            Comment

                                                            • D
                                                              Confirmed User
                                                              • Jan 2006
                                                              • 7412

                                                              #31
                                                              Originally posted by Brad Mitchell
                                                              oh jesus christ does NATS really store the affiliate passwords in plain text for an admin access user to view? Tell me that's not true. Please, really. Can anyone confirm?

                                                              Brad
                                                              Sorry I missed this before my first post in this thread... was kinda dumb-founded at the fact that I blew that thread off this morning as "another drama thread."

                                                              As of the last time we used NATS (a year ago), and as I can recall, all affiliate and user passwords, usernames, addresses, epass account names, etc. were stored in plain text.



                                                              Someone please correct me if that's not the status quo.
                                                              -D.
                                                              ICQ: 202-96-31

                                                              Comment

                                                              • pocketkangaroo
                                                                Confirmed User
                                                                • Jan 2005
                                                                • 8452

                                                                #32
                                                                Originally posted by D
                                                                Sorry I missed this before my first post in this thread... was kinda dumb-founded at the fact that I blew that thread off this morning as "another drama thread."

                                                                As of the last time we used NATS (a year ago), and as I can recall, all affiliate and user passwords, usernames, addresses, epass account names, etc. were stored in plain text.



                                                                Someone please correct me if that's not the status quo.
                                                                Would this include banks and account numbers for wires/ACH? I'm just a tad worried that my company's banking information is sitting in the hands of a hacker right now. I'm hoping it's somehow protected though.

                                                                Also, what about stuff like SSN? My company uses a FEIN but I'm guessing some still use their SSN.

                                                                Comment

                                                                • Doctor Dre
                                                                  Too lazy to set a custom title
                                                                  • Jan 2001
                                                                  • 51692

                                                                  #33
                                                                  Originally posted by wtfent
                                                                  Why the hell would they do that? So they can make a quick $10,000 and loose out on the millions they will make in the future with nats? I buy trials every now and then and if i saw them spamming me with their sites I think it would make for pretty huge drama that would spread within a week max. The Nats guys are all stand up guys.
                                                                  I'm in NO WAY saying Nat's are the one emailing the members... not at all. I think (to myself) with the answers we've seen here, it's pretty clear that John might be arrogant, but I doubt he's guilty of this one.

                                                                  But having access to emailing 50 % + of the surfers paying for porn will bring a lot more money then $10 000. It's totally targetted surfers, the perfect list.

                                                                  I'm sure lots of people could be willing to spend a tons of cash developping a technology to hack into that kind of data.

                                                                  The webmaster epass stolen could also be explained.
                                                                  Originally posted by rayadp05
                                                                  I rebooted, deleted temp files, history, cookies and everything...still cannot view the news clip. All I see is that fucking gay ass music video from "Rick Roll". Anyone else have a different link to the news clip?

                                                                  Comment

                                                                  • SmokeyTheBear
                                                                    ►SouthOfHeaven
                                                                    • Jun 2004
                                                                    • 28609

                                                                    #34
                                                                    Originally posted by pocketkangaroo
                                                                    Would this include banks and account numbers for wires/ACH? I'm just a tad worried that my company's banking information is sitting in the hands of a hacker right now. I'm hoping it's somehow protected though.

                                                                    Also, what about stuff like SSN? My company uses a FEIN but I'm guessing some still use their SSN.
                                                                    my guess would be yes, if the account passwords were not encrypted then i dont know why they would encrypt the banking info.

                                                                    besides if the password is there the hacker can just login with your account and see the banking info if its available in your settings.
                                                                    hatisblack at yahoo.com

                                                                    Comment

                                                                    • kmanrox
                                                                      aka K-Man
                                                                      • Oct 2001
                                                                      • 29295

                                                                      #35
                                                                      doh!!!!!!!
                                                                      Crypto HODLr
                                                                      Crypto mining
                                                                      Angel investor

                                                                      Comment

                                                                      • hateman
                                                                        So Fucking Banned
                                                                        • Jul 2003
                                                                        • 1623

                                                                        #36
                                                                        NATS is fucked

                                                                        it has so many flaws

                                                                        why sponsors use it is beyond me.

                                                                        Comment

                                                                        • borked
                                                                          Totally Borked
                                                                          • Feb 2005
                                                                          • 6284

                                                                          #37
                                                                          Originally posted by Brad Mitchell
                                                                          oh jesus christ does NATS really store the affiliate passwords in plain text for an admin access user to view? Tell me that's not true. Please, really. Can anyone confirm?

                                                                          Brad
                                                                          No, members passes are cleartext by default. Affiliate passwords are two-way encrypted. What I don't understand is why the need for two-way encryption? To reset an affiliates pass if they forgot it in the backend is nothing, so 1-way encryption would have been far better. John posted in another thread that this is to be included in NATS4. Shame it wasn't sooner IMPO.

                                                                          For coding work - hit me up on andy // borkedcoder // com
                                                                          (consider figuring out the email as test #1)



                                                                          All models are wrong, but some are useful. George E.P. Box. p202

                                                                          Comment

                                                                          • c0py-BANNED FOR LIFE
                                                                            So Fucking Banned
                                                                            • Feb 2004
                                                                            • 195

                                                                            #38
                                                                            All I can say is SQL Injection.

                                                                            Comment

                                                                            • quantum-x
                                                                              Confirmed User
                                                                              • Feb 2002
                                                                              • 6863

                                                                              #39
                                                                              Originally posted by c0py
                                                                              All I can say is SQL Injection.
                                                                              Bang on the money.
                                                                              PrettyInCash.com - BoozedGFs.com - TeenGFs.com - JizzGFs.com- MilfUploads.com -

                                                                              Comment

                                                                              • quantum-x
                                                                                Confirmed User
                                                                                • Feb 2002
                                                                                • 6863

                                                                                #40
                                                                                Originally posted by Nails
                                                                                Sounds like someone should be sueing Nats right about now.
                                                                                They already have pending law suits.
                                                                                PrettyInCash.com - BoozedGFs.com - TeenGFs.com - JizzGFs.com- MilfUploads.com -

                                                                                Comment

                                                                                • k0nr4d
                                                                                  Confirmed User
                                                                                  • Aug 2006
                                                                                  • 9231

                                                                                  #41
                                                                                  I've seen code by the tmm guys, i seriously doubt there are any sql injection issues in nats...
                                                                                  Mechanical Bunny Media
                                                                                  Mechbunny Tube Script | Mechbunny Webcam Aggregator Script | Custom Web Development

                                                                                  Comment

                                                                                  • uno
                                                                                    RIP Dodger. BEST.CAT.EVER
                                                                                    • Dec 2002
                                                                                    • 18450

                                                                                    #42
                                                                                    Panchodog has had the admin locked down via specific full IPs for a very long time now.
                                                                                    -uno
                                                                                    icq: 111-914
                                                                                    CrazyBabe.com - porn art
                                                                                    MojoHost - For all your hosting needs, present and future. Tell them I sent ya!

                                                                                    Comment

                                                                                    • quantum-x
                                                                                      Confirmed User
                                                                                      • Feb 2002
                                                                                      • 6863

                                                                                      #43
                                                                                      Originally posted by k0nr4d
                                                                                      I've seen code by the tmm guys, i seriously doubt there are any sql injection issues in nats...
                                                                                      Then you're a bad coder.
                                                                                      It's just that simple.
                                                                                      PrettyInCash.com - BoozedGFs.com - TeenGFs.com - JizzGFs.com- MilfUploads.com -

                                                                                      Comment

                                                                                      • jscott
                                                                                        jscizzle
                                                                                        • Feb 2001
                                                                                        • 25412

                                                                                        #44
                                                                                        Any input from NATS on this matter? I find this very disturbing, need a little reassurance please John
                                                                                        “If you think tough men are dangerous, wait until you see what weak men are capable of.”
                                                                                        —Jordan B. Peterson

                                                                                        Listen to Pomp tell why is Bitcoin important

                                                                                        Comment

                                                                                        • k0nr4d
                                                                                          Confirmed User
                                                                                          • Aug 2006
                                                                                          • 9231

                                                                                          #45
                                                                                          Originally posted by quantum-x
                                                                                          Then you're a bad coder.
                                                                                          It's just that simple.
                                                                                          preventing sql injection is not rocket science, buddy.
                                                                                          Mechanical Bunny Media
                                                                                          Mechbunny Tube Script | Mechbunny Webcam Aggregator Script | Custom Web Development

                                                                                          Comment

                                                                                          • quantum-x
                                                                                            Confirmed User
                                                                                            • Feb 2002
                                                                                            • 6863

                                                                                            #46
                                                                                            Originally posted by k0nr4d
                                                                                            preventing sql injection is not rocket science, buddy.
                                                                                            Please don't patronize me. I've worked very closely w/ NATS and CARMA since they were in beta.
                                                                                            I have personally tested and proved SQL injections against NATS and CARMA [and dutifully reported them]. I have looked at the source of both, and literally just took a scroll through it again. There are exploitable areas. I haven't seen a mysql_real_escape_string anywhere in the code I saw, and 6 months ago, there were definite issues. HTML_special_chars / [and god forbid] addslashes and the ilk are not sql protection.

                                                                                            Check out - http://www.gofuckyourself.com/showpo...&postcount=218

                                                                                            I know programmers love to piss on each other, but the fact of the matter is that basically ANY script online is susceptible to attack, whether it be by the script itself, or the frameworks that support it.
                                                                                            PrettyInCash.com - BoozedGFs.com - TeenGFs.com - JizzGFs.com- MilfUploads.com -

                                                                                            Comment

                                                                                            • borked
                                                                                              Totally Borked
                                                                                              • Feb 2005
                                                                                              • 6284

                                                                                              #47
                                                                                              Originally posted by jscott
                                                                                              Any input from NATS on this matter? I find this very disturbing, need a little reassurance please John
                                                                                              John said in this thread that he's emailing all NATS customers. You haven't received that email by now?

                                                                                              For coding work - hit me up on andy // borkedcoder // com
                                                                                              (consider figuring out the email as test #1)



                                                                                              All models are wrong, but some are useful. George E.P. Box. p202

                                                                                              Comment

                                                                                              • borked
                                                                                                Totally Borked
                                                                                                • Feb 2005
                                                                                                • 6284

                                                                                                #48
                                                                                                Originally posted by quantum-x
                                                                                                Please don't patronize me. I've worked very closely w/ NATS and CARMA since they were in beta.
                                                                                                I have personally tested and proved SQL injections against NATS and CARMA [and dutifully reported them]. I have looked at the source of both, and literally just took a scroll through it again. There are exploitable areas. I haven't seen a mysql_real_escape_string anywhere in the code I saw, and 6 months ago, there were definite issues. HTML_special_chars / [and god forbid] addslashes and the ilk are not sql protection.

                                                                                                Check out - http://www.gofuckyourself.com/showpo...&postcount=218

                                                                                                I know programmers love to piss on each other, but the fact of the matter is that basically ANY script online is susceptible to attack, whether it be by the script itself, or the frameworks that support it.
                                                                                                Interesting...
                                                                                                How many people have access to the open source of NATS? Surely the only way to know where these exploits are, if what you say is correct, is to have access to the source.

                                                                                                How come you have access to the source?

                                                                                                For coding work - hit me up on andy // borkedcoder // com
                                                                                                (consider figuring out the email as test #1)



                                                                                                All models are wrong, but some are useful. George E.P. Box. p202

                                                                                                Comment

                                                                                                • k0nr4d
                                                                                                  Confirmed User
                                                                                                  • Aug 2006
                                                                                                  • 9231

                                                                                                  #49
                                                                                                  Originally posted by quantum-x
                                                                                                  Please don't patronize me. I've worked very closely w/ NATS and CARMA since they were in beta.
                                                                                                  I have personally tested and proved SQL injections against NATS and CARMA [and dutifully reported them]. I have looked at the source of both, and literally just took a scroll through it again. There are exploitable areas. I haven't seen a mysql_real_escape_string anywhere in the code I saw, and 6 months ago, there were definite issues. HTML_special_chars / [and god forbid] addslashes and the ilk are not sql protection.

                                                                                                  Check out - http://www.gofuckyourself.com/showpo...&postcount=218

                                                                                                  I know programmers love to piss on each other, but the fact of the matter is that basically ANY script online is susceptible to attack, whether it be by the script itself, or the frameworks that support it.
                                                                                                  You may be right, or they may be doing their escaping in the nats_db_query function or relying on magic_quotes_gpc. I don't have access to the nats source, but I'm working on a project with TMM and from the cleanliness of their code, I doubt they would make some noobish mistakes like not sanitizing user input.
                                                                                                  Mechanical Bunny Media
                                                                                                  Mechbunny Tube Script | Mechbunny Webcam Aggregator Script | Custom Web Development

                                                                                                  Comment

                                                                                                  • quantum-x
                                                                                                    Confirmed User
                                                                                                    • Feb 2002
                                                                                                    • 6863

                                                                                                    #50
                                                                                                    Originally posted by borked
                                                                                                    Interesting...
                                                                                                    How many people have access to the open source of NATS? Surely the only way to know where these exploits are, if what you say is correct, is to have access to the source.

                                                                                                    How come you have access to the source?
                                                                                                    A lot of exploits are found by brute forcing. Even public live distros like Backtrack have huge DBs of exploits you can just run over a site / server looking for penetration points.

                                                                                                    I don't have the full source, I just have it for a few key files that were left on my server after a tech did an upgrade. TMM knows I have seen them, and I promised them to pass on any info I saw in there that might cause problems, and I have
                                                                                                    PrettyInCash.com - BoozedGFs.com - TeenGFs.com - JizzGFs.com- MilfUploads.com -

                                                                                                    Comment

                                                                                                    Working...