Monstruous security hole in shinawatr corp/cscoms

[sting01]

Edited by myself ,

sometimes good idea give wrong results.

whatever if someone need to have more informations it will be possible to PM me.

[MaiChai]

Why did you post, you are encouraging someone who likes hacking to mess with other peoples data. Did you not report it to cs?

[sting01]

yesI did it, I called and mailed ... but no action yet.

that sound dangerous enought to warm other people in my opinion, maybe am I wrong ... if yes sorry

[taxexile]

did you get the immigration department database? ???

[sting01]

did you get the immigration department database?

lol ... no, happily, if yes I will be very scare, enter in a governemental database is VERY dangerous.

For now the problem is different, there is only about SME who have websites owned by cscoms.com/shin corp.

The topic of the post is : if enough people complain, maybe the sys admin will do his work. It's not complicate and difficult.

For what I know, my subscribtion with this provider/web hosting will be finish oon, I will just change for another who is more serious, and who have the erver in USA, atleast there they know what security mean.

[Butterfly]

You woud have to be pretty stupid to use a Thai ISP for anything more serious than personal shit. Thailand is not famous for its expertise in IT. What did you expect ? you should see what I saw when I visited the backoffice operation of LoxInfo. A total joke.

If you have valuable data or need to run a "secure" website, dont't use a Thai ISP. You will find better deals in Europe and in the US.

[MaiChai]

Yeah, better off hosting in the US; apart from offering good service, and unbelievable value, you will also be dealing people who know what computers are about  :laugh:

You are also more likely to get done for doing something Toxins xenophobic government don't like.

[sting01]

If you have take a look at the websites I listed, you can guess many are commercial websites.

I have not check more, too dangerous, too bad also ... my first reaction was to report to the ISP, and as they did  nothing, then I thought to warm the people about it.

The hole exist, but it's not exploitable like that, you can only modify the database ... usually root MySQL is not Root of the ftp (/home/user/www on a Unix server).

And yes, better to have a server in USA, or to use Paypal.

and yes also, certainly it was not clevert to post that, certainly I did not get more credibility ... I just hoped the owners of the differents sites will react and save what it can be saved. Well I just hope it will not give me troubles in the future

[dr_Pat_Pong]

Kinda frightening. Thanx for the tip. I am sold on an American ISP as of now.

[sting01]

I can also give you some name for US webhosting companies, but it was not the topic, just to warm those who where on the list.

Today, at this hour, the hole exist, they did nothing.

Also, I get no Pm, that must mean noboddy care about that ... then ... not my problem anymore

Sting

Message in a bottle

[Butterfly]

I can also give you some name for US webhosting companies, but it was not the topic, just to warm those who where on the list.

Today, at this hour, the hole exist, they did nothing.

Also, I get no Pm, that must mean noboddy care about that ... then ... not my problem anymore

Sting

Message in a bottle

Don't hold your breath. Customer service here is also not their strong skill. The email address you used to contact them is probably never looked at.

How many times AIS has reset or killed my voice mail messages because of technical failures ? You would think they would have that under control by now. Guess not.

[Guest IT Manager]

I had an hour on the phone today with Dr Tachaporn. Sting let me know details as soon as possible please. He has already corrcted one of the issues I asked him about. I believe the others will be looked at and attended to.

Secondly, I am looking for 4 or 5 IT specialists in various places around Thailand, to assist with some ICMP loss studies, related to VoIP.

If this describes you, please message me or contact me via my email address.

######

[sting01]

hello IT

Well, what do yo mean by details? I send all the details to the tech support, but I will not post that here. The list of the societies is not dangerous, but the "how to do it"is dangerous an yes it would be criminal to say that here.

On the same time I post here, I will verify is the hole exist by now or not.

Back .... the hole exist ... I can be logged in any databases who are on the same server ... and that with the "loggin/paasword" I get for the FTP.

In fact there is 2 security holes .... First as you must know, both accounts must be separate (different directory, different root users also) here I am logged as root for the database, and not as user. This is why I See all the databases, and certainly the tables. It mean the Main folder for the database is not password protected ( what about DENY/ALLOW?)

Second, If I have the shell (mean I am root for a service or a daemon or anything) in a Unix based server, then I can be root for all ... any script kiddy know that...

I don't precise, because I don't need anybody else try to explot it. As you must know a good sys admin must be paranoidor he is not a good sys admin.

Now, there is no need to ask the University to take care of that, there is only to check the configuration files and do the things how they must do it. If you have contact with someone from the head office of Shin corp, then he must mail me (with a well know signature, and I will explain what and how).

About ICMP, I tryed to contact you by yahoo messager this week end but you did not answer, give me more details and I will let you know if I can or not.

Best regards

Eric

PS I used another programm, who is well know, and I detected the same hole.If you have some contact in shin corp, let them know I can do an security audit of their servers, usually I am not realy expensive for that because in my opnion security is important.

Best regards

Sting

Ghost in the machine

[wolf5370]

Yeah, better off hosting in the US; apart from offering good service, and unbelievable value, you will also be dealing people who know what computers are about

Yeah, Indians on work visas and technical help desks in Mombai.