Zamfoo users, Your Server’s ROOT Password is not SAFE!

First of all, What I am going to disclose here is not a fake statement.
I am also the user of Zamfoo and like this script spacially support of Zamfoo.
But I found that every time when you run zamfoo upgrade, Zamfoo decode the server root password and send that password to .
See below email,

version 3.1 license: xxxxxxxxxxxxxxx

 debugger: Summary of my perl5 (revision 5 version 8 subversion 8) configuration:

 Platform:

   osname=linux, osvers=2.6.18-128.1.1.el5.028stab062.3, archname=i686-linux

   uname='linux [B]Serverhost name[/B] 2.6.18-128.1.1.el5.028stab062.3 #1 smp sun may 10 18:54:51 msd 2009 i686 i686 i386 gnulinux '

   config_args='-ds -e -Dprefix=/usr/local -Doptimize=-Os -Duseshrplib -Dusemymalloc=y'

   hint=recommended, useposix=true, d_sigaction=define

   usethreads=undef use5005threads=undef useithreads=undef usemultiplicity=undef

   useperlio=define d_sfio=undef uselargefiles=define usesocks=undef

   use64bitint=undef use64bitall=undef uselongdouble=undef

   usemymalloc=y, bincompat5005=undef

 Compiler:

   cc='cc', ccflags ='-fno-strict-aliasing -pipe -Wdeclaration-after-statement -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm',

   optimize='-Os',

   cppflags='-fno-strict-aliasing -pipe -Wdeclaration-after-statement -I/usr/local/include -I/usr/include/gdbm'

   ccversion='', gccversion='4.1.2 20080704 (Red Hat 4.1.2-44)', gccosandvers=''

   intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234

   d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12

   ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8

   alignbytes=4, prototype=define

 Linker and Libraries:

   ld='cc', ldflags =' -L/usr/local/lib'

   libpth=/usr/local/lib /lib /usr/lib

   libs=-lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lc

   perllibs=-lnsl -ldl -lm -lcrypt -lutil -lc

   libc=/lib/libc-2.5.so, so=so, useshrplib=true, libperl=libperl.so

   gnulibc_version='2.5'

 Dynamic Linking:

   dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E -Wl,-rpath,/usr/local/lib/perl5/5.8.8/i686-linux/CORE'

   cccdlflags='-fpic', lddlflags='-shared -L/usr/local/lib'

 

 

Characteristics of this binary (from libperl):

 Compile-time options: MYMALLOC PERL_MALLOC_WRAP USE_LARGE_FILES

                       USE_PERLIO

 Built under linux

 Compiled at Jun  3 2009 02:53:21

 @INC:

   /usr/local/lib/perl5/5.8.8/i686-linux

   /usr/local/lib/perl5/5.8.8

   /usr/local/lib/perl5/site_perl/5.8.8/i686-linux

   /usr/local/lib/perl5/site_perl/5.8.8

   /usr/local/lib/perl5/site_perl

   .

 

 querystring: license=[B]YouZamfooLicenseDetail[/B]

 compare:

 capture: read_license,pathtranslated,php_exec_curl,parse xml,parseurl,

 capture2: PATH=/usr/local/jdk/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/lib/courier-imap/sbin:/usr/lib/courier-imap/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/usr/local/bin:/usr/X11R6/bin:/root/bin:/opt/bin

DOCUMENT_ROOT=/usr/local/cpanel/base

SERVER_SOFTWARE=cpaneld

CPANEL=active

SERVER_PORT=2086

SERVER_PROTOCOL=HTTP/1.1

GATEWAY_INTERFACE=CGI/1.1

DNS=yourdomain.com

REMOTE_HOST=212.116.219.101

REMOTE_ADDR=212.116.219.101

REMOTE_PORT=38184

SERVER_ADDR=[B]YourServerMainIP[/B]

REQUEST_METHOD=GET

CONTENT_LENGTH=

QUERY_STRING=

ACCEPT_ENCODING=gzip,deflate

TRANSFER_ENCODING=

REQUEST_URI=/cgi/zamfoo/zamfoo_b9_toolset.cgi

SCRIPT_URI=/cgi/zamfoo/zamfoo_b9_toolset.cgi

HTTP_X_FORWARDED_FOR=[B]xxxxxxxx[/B]

HTTP_USER_AGENT=Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11

HTTP_REFERER=http://xxxxxxxxxxxxx:2086/cgi/zamfoo/zamfoo_landing_root.cgi

CONTENT_TYPE=

HTTP_COOKIE=logintheme=cpanel; whostmgrrelogin=no; whostmgrsession=closed

HTTP_ACCEPT_CHARSET=ISO-8859-1,utf-8;q=0.7,*;q=0.7

HTTP_ACCEPT_ENCODING=gzip,deflate

HTTP_ACCEPT_LANGUAGE=en-us,en;q=0.5

HTTP_ACCEPT=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

HTTP_HOST=ServerMainIP

SERVER_NAME=ServerMainIP

SUBID=

UPLINK=

REMOTE_USER=root

[B]REMOTE_PASSWORD=xxxxxxxxxxx[/B]

SCRIPT_NAME=/cgi/zamfoo/zamfoo_b9_toolset.cgi

SCRIPT_FILENAME=/usr/local/cpanel/whostmgr/docroot/cgi/zamfoo/zamfoo_b9_toolset.cgi

REDIRECT_STATUS=1

Code (markup):

I have change and bold the my server detail.

How can you test in your server?

I don't know its work for you or not but try it.
Create a cPanel account with domain zamfoo.com
then create a email Id in this account via cPanel

now run upgrade via Zamfoo >> B9 Tool Set - BETA >> check Update ZamFoo
and click do it

After that check email of
You will see the email above.

Method 2:
Block all out going email then check Mail Queue Manager under root WHM after upgrade Zamfoo you will see this email.

 

Thanks GOD, we do not use zamfoo .

 

Yes, you are right I've tried your method number 1. And I found my password in that email. But I think if we change the password when we are updating zamfoo. After updating change password again. Then we will be secure. What you guys say? Anyhow I heard many bad reviews about deasoft but zamfoo :S

 

OK ,Now this is shocking !

 

if i upgred my zamfoo password auto sent to ?

 

very shocking, anything that sends your password in the clear is, for lack of a better word, totally screwed up. i never used them and never will.

 

If this is true, then they will lose ALOT of their current client base. Plus, this is an illegal act, as it doesnt state anywhere that your root password needs to be updated after you upgrade. Even though, what would they need our root pass's for in the first place?

Currently, i will stay away from this product - if they did it first time, im sure they will find another way to broadcast/send your root password with a different method, as this was intended and it does retrieve your password by force.

You can sue Zamfoo for what they have done, to be honest - such a product on the market should NOT be used at all ...

Just my 2 cents
regards

 

No Master Reseller script is good or secure.

 

hi,

this is a terrible terrible mistake. it was for testing purposes. it made its way into the release accidentally. i assure you that i didn't even know it was there. i will publish a patch for it right now. give me 1 hour.

kevin

 

But why is root password needed to be sent even for testing purpose?

 

hi,

clearly it doesn't. the code requires grabbing environment variables of the server and perl to function properly. the code was modified to mail the environment variables for testing purposes for creating the ffmpeg installer which was a new feature in 3.3. it was not removed on that file by accident the part that outputs. i am making the patches now. i will send out an urgent email to all clients on how to install the patch and will offer to do the patch for anyone who can't do it.

kevin

 

hi,

patches are available now for 3/4 of the 4 architectures.
if your architecture is i386 or you can't perform the patch please contact us on IM chat support immediately and we will fix it for you. we will be online for the next 10-12 hours waiting to assist.




to fix this problem go to http://www.zamfoo.com/downloads/

• navigate to your architecture(this is shown in the root screen in the footer)
• download critical_patch.zip
• unzip it
• move the file in binary format to /usr/local/cpanel/whostmgr/docroot/cgi/zamfoo
• then verify that it is no longer sending this data.

an email is scheduled to go out to all clients as soon as php finishes recompiling.

again. this is a terrible terrible mistake. i assure you that i have not written 80thousand lines of code to throw it away over something like this. i am trying to sell the software....not root someones box. i even commented about a similiar post to this in defense of deasoft.

again. if further clarification is needed on how and why this happened please ask questions. i will fully explain. i am pulling future downloads and installations of the script until officially release a version 3.4 later today at which time tpatch will be be available in the update.

thanks,
kevin

 

Dear kevin, I respact your work and I am also like your support.
Why you not notice hundards of such emails with root Password received at your support email ID?
You need to patch after receive first email.
How can we believe you anymore??
WHMreseller lose their believe after years but you lost it less then one year.

 

hi,

there were not hundreds of emails. there were only a few. most of clients regularly give us their root logins to assist them with configuring the software, diagnosing any problems or teaching them how to use the software. i will say again that i am trying to sell the software and not root your boxes. it is very unfortunate that this has happened. i provide the best support available because reputation IS EVERYTHING.

i was unaware that cpanel even stored a plain text password in an environment variable. im actually quite amazed this is the case. the part that i needed to investigate for the script was located at the top of the output. it was included in the output because the code i used outputed all environment variables.

i didn't even look past the top part to notice that it was reporting a plain text password and or notice it in the output.

unfortunately i can't change what happened now. im sorry if i have tarnished your respect for the software. the only thing i can do is correct it and make sure it doesn't happen again. i understand there may be some side effects from this but there clearly isn't much i can do about it now since it has already happened.

kevin

 

hi,

there is now a patch available through the update function. an email to all clients has been queue for sending. please run the update function. verify that the version has changed to version 3.4

after sucessfull update then immediately change your password. we encourage you to retest and ensure that this gap is fully closed. please read the formal email that we have sent out.

thanks,
kevin

 

Kevin is the best! He has always been very helpful to me since I started using his software. I do not believe it was an attempt to hack servers. I will stand by him.

 

hi,

indeed. thank you for your support. i know all to well how valuable reputation is. that is why i provide the support levels that i do.

i am really upset by this whole thing. i would like to add again that i had no idea this was possible. here is an old dp post from me regarding the exact same report about whmreseller:

http://forums.digitalpoint.com/showthread.php?t=1270290

this post shows you that i had no idea it was possible and provides my theories about why anyone trying to make money would do such a thing.

it also says how you can detect if something like this is occurring....quit ironic since it happened to me for my software.

i have tried and done my best to be professional about the whole mishap by clearly admitting the mishap via formal email, clearly explaining the how whats wheres whens and whys of how this happened, correcting it in a record time even by my my standards all while continue to provide support and new development.

i can only say "what a tragedy this has been" since my reputation has been nothing short of spotless clean up to this moment. im going to have a beer now and drink myself happy again.

kevin

 

hi,

i feel and hope that this matter is now closed. i am providing for public record the email that has been sent to every client regarding this matter

email
------

hi,

we regret to inform everyone that a mistake was made when releasing version 3.3

we did not remove a piece of debugging code from our script. the debugging code, unbeknownst to us was mailing us root credentials in plain text. this has been pointed out on some forums this morning.

we are terribly sorry that this has occurred. earlier today we release an initial patch. we now have a full patch available which can be run through the easy updater.

we understand the full severity of this mishap and hope that you continue to trust our software, support and intention of not causing harm to your business, your systems or anyone elses systems through your servers.

full explanations, ways to replicate the problem and see it first hand, an explanation on how and why this piece of code was in the software can be found on the forums.digitalpoint.com and webhostingtalk.com websites as well as the method to verify in the future that this doesn't occur.


please do the following IMMEDIATELY:
--------------------------------------------

run the update script from b9 toolset
then verify that you are running version 3.4 from the footer of the root reseller screen
then change your root password


we will not confirm on an individual server, client or license basis that the problem has been corrected but will ask the clients and people who have reported the problem to publicly that the problem has been corrected.


we value your business greatly and cherrish our good standing reputation. we can only hope that this blemish doesn't permanantly impact the view of how good or how secure the software is.


sincerest apollogies,
kevin

 

That Zamfoo is really strange man, today none is secure company. I can`t believe it, omg.
Thanks dude...

- SeoHawk

 

I used zamfoo on my server.
My server was hacked 3 times i had to close it as i lost to many clients to keep the server.
This seemed to happen after i update zamfoo...
i updated 3 times and was hacked 3 times...

Hostgator who i rented the server off told me that the hacker knew the root password that was 50 digits

I am not saying that it was them or anyone that worked for them but this does seem very suspicious to me now and i will be passing this info to hostgator security team