phpCOIN

Forum Rules Security Announcements

Security related public announcements by phpCOIN personnel. This forum can NOT be posted to by the public

  Reply to this topicStart new topic

> Reporting Security Incidents, How to report a suspected exploit
lightman
Posted: September 20, 2009 01:12 pm
Quote Post


The Janitor
***

Group: Admin
Posts: 3,639
Member No.: 3
Joined: August 25, 2006



If anyone suspects that a security vulnerability exists with the currently released version of phpCOIN - they should contact us at support<at>phpcoin<dot>com and supply working Proof Of Concept code

Please note: Do not just send us security scanner reports without first proving that the reported vulnerability can actually be successfully exploited - any such report should be accompanied by POC code and full documentation.

If you suspect you have been compromised using the current release of phpCOIN as an attack vector, please supply as much as the following as possible:

* the reasons you think the exploit vector was phpCOIN
* live fileset after the exploit as deployed (in a zip file)
* sql dump of the exploited fileset (in a zip file)
* full logs covering the exploit period (in a zip file)
* full details of server daemon / php / mysql versions
* any other data (eg FTP logs that are relevant to the exploit time-frame), ini or config files etc (in zip files)
* any comments or theories
* POC code that exploits the vector you are reporting (in a zip file)
* any corroborating proof this exploit is in the wild

Your data will be treated with the utmost confidentiality, the more that you can provide us, the more likely it is we can expose and rectify any vulnerabilities if they exist !

DO NOT PERFORM PEN TESTING ON THE phpCOIN SERVERS !!! - that is a really good way of getting yourself banned from all the phpCOIN sites biggrin.gif

If you can't provide any corroborating evidence that an exploit exists, or that you have been compromised using the current release of phpCOIN as the attack vector -- don't bother to post -- it ends up being your word against ours, nobody can prove it one way or another, and it does nothing to help the phpCOIN community wink.gif


--------------------
***** Unless otherwise stated, all replies refer to the following *****
====================================================================
--- The latest unmodified version of phpCOIN available from the phpCOIN download page on the date and time of this post.
--- All relevant HotFix files applied - One of the four included unmodified themes - The original language files .
--- Help will be given to install/configure/use phpCOIN, but not programming help to modify phpCOIN operations. If you are competent enough to make programming changes, you should be competent enough to read the source code and figure things out :)
PM
Top
0 User(s) are reading this topic (0 Guests and 0 Anonymous Users)
0 Members:

Topic Options Reply to this topicStart new topic

 


Inscrita el Registro Mercantil de Mallorca Tomo 2140, Hoja No. PM-51034, Folio 135
This website owned and operated by: Technology Services RPVW S.L. CIF# B57345084
Avda Constitucion 48 Bajos Alaro 07340 Baleares SPAIN
Tel:+34 971518362    Fax: +34 971518368    eMail: support@phpcoin.com