Anyone using PHP Live! on their website - another commonly used 'live chat' system - we recently discovered a serious security exploit which allows hackers to upload arbitrary content to your web site and overwrite any and all files on it, including changing server password files.

We contacted the authors of PHP Live! and they reviewed the exploit, but suggested that they wouldn't have a fix for it until AT LEAST the end of this month (July), which means if you leave things as is, you'll be running a completely vulnerable application on your site with free-for-all access to overwrite your site content or take over the server at will.

For security purposes, we will not post the explioted filenames or methods.

The only short-term solution is to either completely remove PHP Live! from your site, or if you are on a Linux server, install something like mod_security Apache plugin and through means of regular expressions filter certain data from being passed in the URLs to your PHP Live! scripts. Feel free to contact me off-list if you'd like a copy of these RegEx filters if you are going to be using mod_security. I don't want to post the info here to show everyone how to exploit the PHP Live! application, or any other PHP or Perl driven scripts that may have a similar vulnerability.

We did announced this 3 weeks ago with almost identical information:

http://extranet.miva.com/forums/showpost.php?p=11989&postcount=1

Was there new information to provide or are you just taking credit for it as you did with another hosts TOS recently?

Vic,

You announced an exploit for PHP Live Helper, which has been around for 4+ months by the time you posted that message. This one is for PHP Live! - not the same app. Close, but not the same thing.

... and to address your second half of allegations, Vic... perhaps have a look at Yahoo! TOS to see the true source of the wording you are referring to. Enough said. Insert foot in mouth, slowly... you and the host you were referring to.

Hey, guys! So what's a TOS?

"Terms of Service"...not that this thread should continue...

Remik, as far as I can tell, the numerous changes we made, beginning no later than the third sentence in the first paragraph, are all mirrored in your copy of them. Yahoo's doesn't even have a paragraph in the second section about when maintenance is performed, but we do, and you copied most of our text word for word. I'm no statistician but the liklihood that you would have randomly created the same text as us would be astronomical. It's clear that text that we created was copied, I'm not sure why you would suggest otherwise, or what reason there could be to justify the offensive statements to Vic; that type of stuff should be sent in private rather than the forums. Hopefully Julie will delete this thread so this discussion can end.

I hope so as well. My point was that you simply copied it from Yahoo TOS, 95% of the text, so whatever Vic was bent over backwars for, he should have perhaps started with you first - OR taken it off-list rahter than his usual negativity which he spreads in every forum he touches (well, a,most... you get the point). I think this thread has gone completely wrong, too, and if Julue wants to delete it - so much the better.

All it was supposed to be was just a warning about an exploit in PHP Live! which the company who wrote it said they wouldn't fix for 3+ weeks, leaving all sites running this vulnerable. At least PHP Live Helper exploit from ~5-6 months ago was fixed in a matter of a day or so, which is much more reasonable than outright admitting that the developer won't fix an ovbious and serious exploit in a timely fashion.

Threads like these should definitely remain accessible. It's a great record of personalities. Heck, all my stupid posts on the user list are still in the archives! But ending the thread is understandable, IMO.

Yes Chuck... while I don't always agree with you on ceretain topics (hey, everyone's got an opinion - doesn't mean it's always right or always wrong), I do agree with you here - and find it interesting that the kettle is calling others black while he himself copied his TOS from the Lazarus Group, or Intersessions, or MetaNet, or 22 other sites that all appear to have virtually identical, word for word, TOS. How about that, Vic?

Yes, I used a template, and added several sections of our own verbage per our legal team.

What I dont understand, is why you insist on perpetuating a thread that has strayed off topic - for no constructive reason, just to try to take a jab at others.

Me take a jab?? You started the whole thing by bringing some crazy ideas about "stealing your thread" when it wasn't the case. Guess it doesn't feel all that great when one discovers that what you accuse others of - you are guilty of in the first place, eh? There's a word for it in the dictionary, and I'm sure you know what that word is. What I don't understand is that you keep bringing these things up, in public forums, instead of in private IF you had a legitimate concern, but obviously you don't and your mission is to keep spreading negativity and public accusations without much real substance. You keep talking about copying things, while you copy others' work. Heck, even the session you are supposedly doing at the MIVA conference sounds like a rehash of what we did at the 2005 conference. Don't have anything original to say? Please Vic - if you have something negative to say - keep it to yourself, and be a little more professional at least in public with your accusations. Not everyone in the world is out there to get you. Ghosts are not real. You can sleep at night with the lights off.

The session I've been asked to do is completely being created from scratch. It has nothing to do with, or is anyway associated with your self promotional session last year.

As for the rest, I will be professional - I wont be responding to this thread further. I see no need to perpetuate a dead subject.

Just FYI, we did two sessions, and one of them was supposed to be self-promoting - that's what we paid for. We've tried not to do "dotCOM this" and "dotCOM that" throughout the entire session and talk in more general terms, which I think we've done fairly well. Again, if you have more accusations - please stop putting them in public if you don't know the whole story, like in this case behind the sponsorship types we paid for. Once again - not too professional.

Yes Chuck... while I don't always agree with you on ceretain topics ....

What? That's news to me! Sigh. I guess you're not in my fan club, either. :(

So does anyone have a TOS I can copy? :cool: