[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <447CE08F.5020401@gulftech.org>
Date: Tue, 30 May 2006 19:17:19 -0500
From: GulfTech Security Research <security@...ftech.org>
To: bugtraq@...urityfocus.com
Cc: support@...selscripts.com
Subject: Re: [Info Disclosure] Diesel PHP Job Site Latest Version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
"All of the php developers that sell products online use this method"
Uh no, it doesn't work like that, sorry. If the original report is true
and you were receiving the private database passwords etc of your
customers then you are doing something that is negligent, deceiving, and
possibly breaking some laws.
I have worked for a large number of reputable software companies and
their "phone home" scripts usually work like this.
1) The bit that phones home is usually encoded with something like zend
accelerator or ion cube so that it is more difficult to tamper with.
2) When the script phones home it is usually with some sort of license
key, and sometimes includes your domain name and other minor details.
I have reviewed many proprietary code bases that use these phone home
methods, and all of the ones I have seen are harmless, and justified in
the data they are requesting. Never once have I seen a legitimate
application use phone home methods to send database credentials.
Would you please name for us one application that phones home with
credential information?
Kind Regards,
James
support@...selscripts.com wrote:
> Hello,
>
>
>
> To explain this to all visitors, the information is used to prevent any unauthorized copies from running on the web.
>
>
>
> All of the php developers that sell products online use this method or even more methods.
>
>
>
> Please stop making such a big deal out of this because it's our way of protecting our work and business.
>
>
>
> Thank you for understanding !
>
>
>
> DieselScripts Staff
>
> www.dieselscripts.com
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)
iQIVAwUBRHzggNR/maLeH1kRAQpdCA//fE/SbaGU2YPYNL3iZHp2DK9zOJHi+cKV
8Ln3g0F80Sj2jeETuLm6DvijS5E4xtXU1KzNHJpgMcQLKf+yI54LJWc3MxJDQeXE
9uW995J36xb5EBfSbdceI8QGK9XQUrG1C2AfXOM0JK1EeuSGd7O9LF+k8QAGh8Bk
9Jw2n6zopfFwxP1cP12dHZPbSPCk0wdwZrokn9jplZK4QIyH9mRBYG+XnnJlXtt8
/uj+5YS9U7KKuycM4WTwCUXiRI1vkFOudmpxv7qlSg7Cpbk7Jd+Efc+MvDcDBT6e
iHSb14ivFna6sv02zg8Gg9bMllRSfLkucFgfUza9G4v5XfMmBh3BHDx5ujkGXml9
ZFrVmaX5mNgFYuEFQr638ZdvAOqEtnQ+xrjiQG623rNo8NFlIPJBlhviR2qaiupt
go4HoH12x1D2Msi6dmI7OHr8i9DzKhOCs9InHoGVRNq2XJTPjljywSJgV1f+VFwh
y8jZzjzTi1SD3e0HMEaSiGbkYv3wEgTTuWnLzSvfYLLZ3gJMpNOmGc1gd7Y6b9wF
8w+tjVMkdow8EU1PdKv0Pacbh7Qx39yDwomW15YNgt6aKYoCQp10XsCH9U3MNSql
9pEyLItMyy3oyiYyOilPz1nAeaI1rvEAatZ4ddvQHdXa4Ly1fCKSIsEd+AEOpGxx
ua+s3V3PkSQ=
=yeV+
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists