[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Cambiumgroup customers get hacked fast!
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] Cambiumgroup customers get hacked fast!
- From: angrycustomer@xxxxxxxxxxxx
- Date: Wed, 11 Feb 2009 15:44:19 -0500
Thought this might be the place to send this. We were using the
content system that cambiumgroup created and it resulted in me
losing my job because my employer got hacked. When I googled them I
found this posting in google's cache.
http://74.125.47.132/search?q=cache:PtwMBLcvxxsJ:www.vermontinternet
design.com/index.php%3Ftopic%3D597.0+cambiumgroup+Vulnerabilities&hl
=en&ct=clnk&cd=3&gl=us&client=safari
Hello everyone I would like to share this post with everyone here
on my site. I would like to talk about
the safety of your email accounts and what is being done to protect
them. Why its important that the
owner of a web development company understands what they are doing.
Well email accounts are prolly the most vulnerable part of any
web server. Simply because email accounts are typically the most
benifical to someone who is trying to breach your webserver. It is
profitable for a hacker to breach an email account. Why? Well why
is it profitable for you to do an email blast. The same reason it
is for a hacker to do one.
I was working for a company in St. Johnsbury Vermont (Cambium
Group LLC) for a couple of months. I was hired to do a backlog of
projects that the lead developer obviously wasnt capable of doing.
While I was working at this place I had noticed that someone had
unauthorized access to the companies internal webservers. I
mentioned to the owner of the company that someone had unauthorized
access to the web server.
He thought that I was crazy that someone could have possibly
done that. I simply couldnt sleep at night.
I checked the webserver and found they were using a website
monitoring service that had been hacked
into. Meaning there was a program that they used that access all of
the client webservers from there development server. Upon talking
to the owner and Secretary of this company. I learned that either
one of the owner of Cambium group or the Sales lady would admit
that there was a problem. They
were to worried about protecting a reputation than securing a web
server.
After this incident I decided to do a further investigation.
Upon closing my investigation I learned that
the people that I was working for were selling a very unsecured
content management system to Credit Unions. They had told me they
wanted me to protect there clients accounts and websites. However
when I mentioned that there were alot of security holes they didnt
want to take action to protect there
customers. They simply did not care. I would like to make everyone
aware of all of the problems that I found when working with
http://www.cambiumgroup.com .
1) I found that all of there webservers use the same
configuration. Big no no when you are working with
banks.
2) I found that large volumes of spam was being sent from company
and customer email accounts. Many
customers were complaining that emails where being sent that they
never sent.
3) I found that adding malformed urls to there content management
system will allow a remote user to run mysql queries directly on
there database.
4) I found that the admin password is the same on 100 websites
5) I found that the content management system would vulnerable to
bolth html injection and sql injection.
6) I found that there lead developer Jason Leno only knows basic
programming skills and denies that the
someone would be able to cause a problem due to the above issues.
7) I found that the web forms they were using on there Content
Management system would allow someone to send an email to a mailing
list.
8) I found that Scott Wells and Shari Choinard had no interest in
protecting there customers from the above issues.
9) I found out that they were charging $20,000 - $50,000 for an
application that opens up the clients
to the above vulnerabilities.
10) After working at this company for 2 months I learned that the
secretary Shari, and Scott Wells live together and neither one of
them knows anything about computer programming.
I am putting this posting here so to protect the customers of
that company. I know there are paying alot
of money for what they got and for the amount of money they are
charged they should not be opened up
to these security problems.
--
Be a professional. Click here to earn a psychology degree.
http://tagline.hushmail.com/fc/PnY6qxultlrtwxI8C5TG1niHYrBtAWdFS2UrVp0KDdMdGEikS5kUY/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/