Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Flaw Hits VAserv; Head of LxLabs Found Hanged

Posted by timothy on from the jerks-with-computers-elaborately-shrug dept.

Keldrin_1 writes "The discovery of 24 security vulnerabilities may have contributed to the death of the chief of LxLabs. A flaw in the company's HyperVM software allowed data on 100,000 sites, all hosted by VAserv, to be destroyed. The HyperVM solution is popular with cheap web hosting services and the attacks are easy to reproduce, which could lead to further incidents."

7 of 413 comments (clear)

  1. Depressed person with problems kills himself by hattig · · Score: 4, Informative

    Sounds like the guy needed some more help than he got to get to grips with his personal situation. Anyway ...

    The flaws include SQL injection vulnerabilities and flaws that create a way for hackers to gain file access to files hosted on a vulnerable system.

    There is no excuse for SQL Injection vulnerabilities these days. The problem is well known and publicised, the solutions are well documented. This is a problem that is solved by altering how you code, that results in neater code with less errors. If you can't use prepared/parameterised statements and insist on building SQL command strings out of user supplied data, then ... well, err, I can't say "you deserve to hang" in this case can I?

  2. Re:Well by tattood · · Score: 5, Informative

    TFA: "Ligesh [from LxLabs] was also still coming to terms with the suicides by hanging of his sister and mother five years ago."

    I suspect that this was the result of a lot of bad things going on in his life, and not just because of the software issues.

    --
    WTB [sig], PST!!!
  3. Re:Mixed feelings by asdf7890 · · Score: 5, Informative

    I have very mixed feelings on security firms releasing exploits to the public just to try and get results. In my (admittedly limited) experience, more bad has come from releasing exploits publicly than good.

    -JJS

    But once you've informed the supplier, and allowed enough time for a fix to be created, tested, rolled into a patch, QAed, released to clients and tested+installed by clients, what other alternative is there? Quietly forgetting about it and just hoping that you are the only people who know about the issue and no black-hats out there will find it is simply not an option.

  4. I'm a VAserv customer by barq · · Score: 4, Informative

    Request: Please no one post links to the VAserv status page. The last thing we need is to /. them right now. Customers have been emailed the URL and we are the only ones who really need to see it (plus it isn't very interesting).

    VAserv have emailed customers to say they will be taken over by BlueSquare (where they do most of their hosting anyway). Probably the best option given the scale of the attack.

    I've got one apparently deleted VPS and one still running. The whole situation is terribly frustrating. However I don't think the lack of information coming from VAserv is due to a lack of effort on their part.

  5. They comitted suicide... by kmike · · Score: 4, Informative

    five years ago, not a few months.

  6. TO ALL Re:Well by courteaudotbiz · · Score: 4, Informative

    Yes, I meant hanged. Sorry, english is not my first language.

  7. Re:There's yer problem... by horza · · Score: 5, Informative

    There is only so much due diligence you can do if their claims are not true.

    Phillip.

    --
    Property for sale in Nice, France