Groups | Search | Server Info | Login | Register

Groups > comp.security.misc > #1586

Re: Is Rocksolid Light really compromised and insecure?

Cross-posted to 3 groups.

Show key headers only | View raw

In article <687f44fc$0$61204$882e4bbb@reader.netnews.com>,
Billy G. (go-while) <no-reply@no.spam> wrote:
>On 12.07.25 17:21, Anonymous wrote:
>> Some have claimed that Rocksolid Light is insecure. They have claimed
>that there are many vulnerabilities in the codebase. They have claimed
>that Rocksolid Light should not be used or peered.
>> 
>> Yet I have not seen a single supposed vulnerability demonstrated.
>> 
>> I have not seen any CVE filings.
>> 
>> Can anyone demonstrate and prove any of the claimed exploits?
>> 
>> Where would I find such proofs?
>> 
>
>Yes and if anyone is still running [rocksolid / rslight] (PHP):
>
>1. Turn it off!
>2. Backup /etc/rslight and /var/spool/rslight folders!
>3. Do NOT delete any configs or data!
>4. Wait for pugleaf.net open source release!
>5. Import to new software and be happy!
>
>If you don't want to turn your rslight off...
>Deny access from public and use it locally only.
>
> > The path traversal vulnerability was used to rescue valuable 
>community data from the rocksolidbbs.com server.
>
>Works on all other domains too and there is nobody to install a patch..
>Passwords are already leaked... kids found the way in...
>
>That's not the only vulnerability but i won't publish any more details.
>
>We'll see how long his servers and sites keep running.
>
>Domain expiry = end of life for the sites
>
>novabbs.com / novabbs.org / novalink.us will expiry in jan/feb 2026.
>rocksolidbbs.com in end of nov 2025 and i2pn2.org end of the year 2025.
>
>Maybe there is credit... but if not ...
>
>... RIP Retro Guy ...
>
>https://github.com/go-while/rocksolid-light/blob/claude-sonnet-4-test2/Rocksolid_Light/CRITICAL_VULNERABILITY.md
>
>https://github.com/go-while/rocksolid-light/tree/claude-sonnet-4-test2
>
>https://github.com/go-while/rocksolid-light
>
>🚨 CRITICAL SECURITY NOTICE
>
>This codebase contains multiple critical security vulnerabilities and is 
>no longer under active development.
>Status: DEPRECATED AND UNSAFE FOR PRODUCTION USE
>
>     Path Traversal Vulnerabilities: Complete file system access possible
>     SQL Injection Attacks: Database compromise via multiple vectors
>     Input Validation Failures: User input processed without 
>sanitization throughout
>     Legacy PHP Anti-Patterns: 20-year-old vulnerable coding practices
>     Architectural Security Flaws: No security boundaries or privilege 
>separation
>
>Evidence of Active Exploitation
>
>This codebase was actively compromised for over 1 year (May 2024 - June 
>2025) with evidence of:
>
>     Automated SQL injection campaigns
>     File system pollution via malicious newsgroup names
>     Systematic database content extraction
>     Hundreds of attack artifacts preserved in the filesystem
>
>Why Development Has Stopped
>
>After comprehensive security analysis, this codebase is beyond repair:
>
>     50+ distinct attack vectors across all major components
>     No security architecture to retrofit modern protections
>     Interconnected vulnerabilities where fixes create new problems
>     Legacy dependencies that prevent meaningful security improvements
>
>
>📧 SECURITY ADVISORY FOR ROCKSOLID LIGHT ADMINISTRATORS
>Subject: CRITICAL SECURITY VULNERABILITIES - Immediate Action Required
>
>To: RockSolid Light Administrators From: Security Research Team Date: 
>June 20, 2025 Severity: CRITICAL
>
>🚨 EXECUTIVE SUMMARY
>
>Multiple critical security vulnerabilities have been discovered in 
>RockSolid Light installations,
>
>with evidence of active exploitation spanning May 2024 - June 2025.
>
>Any RockSolid Light instance running during this period should be 
>considered potentially compromised.
>
>⚠️ IMMEDIATE ACTION REQUIRED
>
>You are running RockSolid Light:
>
>     Take your installation offline immediately
>     Audit your system logs for suspicious activity
>     Check your spool directory for unusual files (see indicators below)
>     Consider your system potentially compromised
>     Do not restart without applying security fixes
>
>🔍 VULNERABILITY DETAILS
>Primary Vulnerability: Path Traversal (CVE Pending)
>
>     File: /var/www/html/spoolnews/files.php
>     Impact: Complete file system access
>     Exploitation: Active attacks documented since May 2024
>
>Vulnerable Code Pattern:
>
>// files.php - Critical path traversal
>$getfilename = $spooldir . '/upload/' . $_REQUEST['showfile'];
>readfile($getfilename);  // NO PATH VALIDATION
>
>Attack Vector:
>
>     Attacker extracts site key from HTML form
>     POST request with malicious showfile parameter
>     Can read any system file accessible to web server
>     Enables extraction of SSH credentials, database contents, 
>configuration files
>
>Secondary Vulnerability: SQL Injection via Newsgroup Names
>
>     Impact: Database manipulation and file system pollution
>     Evidence: Hundreds of malicious database files found
>     Attack Method: Injection through NNTP protocol and group name 
>processing
>
>🕵️ COMPROMISE INDICATORS
>
>Check your spool directory for files with suspicious names:
>
># Look for files containing SQL injection patterns
>find /var/spool/rslight -name "*CASE WHEN*" -o -name "*SELECT*" -o -name 
>"*UNION*"
>find /var/spool/rslight -name "*ORDER BY*" -o -name "*CONCAT*" -o -name 
>"*CHAR(*"
>
>Example malicious filenames found:
>
>(CASE WHEN (2018=4830) THEN 'newsgroup' ELSE SELECT...)-data.db3
>comp.lang.python' WHERE 7629=7629 AND 5482=CONCAT...-data.db3
>DOVE-Net.Synchronet_Announcements ORDER BY 3123-- fnTQ-cache.txt
>
>If you find such files, your system has been compromised.
>🎯 ATTACK TIMELINE
>
>     May 2024: First evidence of SQL injection attacks
>     May 2024 - June 2025: Continuous automated exploitation
>     March 2025: Retro Guy's system was under active attack during his 
>final months
>     June 2025: Vulnerabilities discovered and documented
>
>💾 DATA AT RISK
>
>Potentially Compromised Information:
>
>     System/Web configuration files and encryption keys
>     All newsgroup content and user messages
>     User account databases and authentication data
>     SSH credentials and server access
>     Email addresses and user metadata
>     Any sensitive data accessible to the web server
>
>🛠️ IMMEDIATE REMEDIATION STEPS
>
>Emergency Shutdown
>
># Stop web server and NNTP service immediately
>systemctl stop apache2 nginx
>
>Evidence Preservation
>
># Backup current state for forensic analysis
>tar -czf rocksolid-incident-$(date +%Y%m%d).tar.gz /var/spool/rslight/
>
>This vulnerability was discovered during a digital preservation effort 
>following Retro Guy's passing in March 2025.
>
>The path traversal vulnerability was used to rescue valuable community 
>data from the rocksolidbbs.com server.
>
>-------------------------------------------------------------
>-------------------------------------------------------------
>-------------------------------------------------------------
>
>
>-- 
>.......
>Billy G. (go-while)
>

Must be rectified!
-- 
Member - Liberal International This is doctor@nk.ca Ici doctor@nk.ca
Yahweh, King & country!Never Satan President Republic!Beware AntiChrist rising!
Look at Psalms 14 and 53 on Atheism ;
All I want to hear from JEsus Christ is WEll done Good and Faithful servant

Back to comp.security.misc | Previous | Next | Find similar

Thread

Re: Is Rocksolid Light really compromised and insecure? doctor@doctor.nl2k.ab.ca (The Doctor) - 2025-07-22 14:36 +0000

csiph-web