Groups | Search | Server Info | Login | Register

Groups > news.admin.peering > #3102

Re: Is Rocksolid Light really compromised and insecure?

Date 2025-07-22 09:59 +0200
Subject Re: Is Rocksolid Light really compromised and insecure?
Newsgroups news.admin.peering
References <104tuhe$2r60t$1@paganini.bofh.team>
From "Billy G. (go-while)" <no-reply@no.spam>
Organization github.com/go-while
Message-ID <687f44fc$0$61204$882e4bbb@reader.netnews.com> (permalink)

Show all headers | View raw

On 12.07.25 17:21, Anonymous wrote:
> Some have claimed that Rocksolid Light is insecure. They have claimed that there are many vulnerabilities in the codebase. They have claimed that Rocksolid Light should not be used or peered.
> 
> Yet I have not seen a single supposed vulnerability demonstrated.
> 
> I have not seen any CVE filings.
> 
> Can anyone demonstrate and prove any of the claimed exploits?
> 
> Where would I find such proofs?
> 

Yes and if anyone is still running [rocksolid / rslight] (PHP):

1. Turn it off!
2. Backup /etc/rslight and /var/spool/rslight folders!
3. Do NOT delete any configs or data!
4. Wait for pugleaf.net open source release!
5. Import to new software and be happy!

If you don't want to turn your rslight off...
Deny access from public and use it locally only.

 > The path traversal vulnerability was used to rescue valuable 
community data from the rocksolidbbs.com server.

Works on all other domains too and there is nobody to install a patch..
Passwords are already leaked... kids found the way in...

That's not the only vulnerability but i won't publish any more details.

We'll see how long his servers and sites keep running.

Domain expiry = end of life for the sites

novabbs.com / novabbs.org / novalink.us will expiry in jan/feb 2026.
rocksolidbbs.com in end of nov 2025 and i2pn2.org end of the year 2025.

Maybe there is credit... but if not ...

... RIP Retro Guy ...

https://github.com/go-while/rocksolid-light/blob/claude-sonnet-4-test2/Rocksolid_Light/CRITICAL_VULNERABILITY.md

https://github.com/go-while/rocksolid-light/tree/claude-sonnet-4-test2

https://github.com/go-while/rocksolid-light

🚨 CRITICAL SECURITY NOTICE

This codebase contains multiple critical security vulnerabilities and is 
no longer under active development.
Status: DEPRECATED AND UNSAFE FOR PRODUCTION USE

     Path Traversal Vulnerabilities: Complete file system access possible
     SQL Injection Attacks: Database compromise via multiple vectors
     Input Validation Failures: User input processed without 
sanitization throughout
     Legacy PHP Anti-Patterns: 20-year-old vulnerable coding practices
     Architectural Security Flaws: No security boundaries or privilege 
separation

Evidence of Active Exploitation

This codebase was actively compromised for over 1 year (May 2024 - June 
2025) with evidence of:

     Automated SQL injection campaigns
     File system pollution via malicious newsgroup names
     Systematic database content extraction
     Hundreds of attack artifacts preserved in the filesystem

Why Development Has Stopped

After comprehensive security analysis, this codebase is beyond repair:

     50+ distinct attack vectors across all major components
     No security architecture to retrofit modern protections
     Interconnected vulnerabilities where fixes create new problems
     Legacy dependencies that prevent meaningful security improvements


📧 SECURITY ADVISORY FOR ROCKSOLID LIGHT ADMINISTRATORS
Subject: CRITICAL SECURITY VULNERABILITIES - Immediate Action Required

To: RockSolid Light Administrators From: Security Research Team Date: 
June 20, 2025 Severity: CRITICAL

🚨 EXECUTIVE SUMMARY

Multiple critical security vulnerabilities have been discovered in 
RockSolid Light installations,

with evidence of active exploitation spanning May 2024 - June 2025.

Any RockSolid Light instance running during this period should be 
considered potentially compromised.

⚠️ IMMEDIATE ACTION REQUIRED

You are running RockSolid Light:

     Take your installation offline immediately
     Audit your system logs for suspicious activity
     Check your spool directory for unusual files (see indicators below)
     Consider your system potentially compromised
     Do not restart without applying security fixes

🔍 VULNERABILITY DETAILS
Primary Vulnerability: Path Traversal (CVE Pending)

     File: /var/www/html/spoolnews/files.php
     Impact: Complete file system access
     Exploitation: Active attacks documented since May 2024

Vulnerable Code Pattern:

// files.php - Critical path traversal
$getfilename = $spooldir . '/upload/' . $_REQUEST['showfile'];
readfile($getfilename);  // NO PATH VALIDATION

Attack Vector:

     Attacker extracts site key from HTML form
     POST request with malicious showfile parameter
     Can read any system file accessible to web server
     Enables extraction of SSH credentials, database contents, 
configuration files

Secondary Vulnerability: SQL Injection via Newsgroup Names

     Impact: Database manipulation and file system pollution
     Evidence: Hundreds of malicious database files found
     Attack Method: Injection through NNTP protocol and group name 
processing

🕵️ COMPROMISE INDICATORS

Check your spool directory for files with suspicious names:

# Look for files containing SQL injection patterns
find /var/spool/rslight -name "*CASE WHEN*" -o -name "*SELECT*" -o -name 
"*UNION*"
find /var/spool/rslight -name "*ORDER BY*" -o -name "*CONCAT*" -o -name 
"*CHAR(*"

Example malicious filenames found:

(CASE WHEN (2018=4830) THEN 'newsgroup' ELSE SELECT...)-data.db3
comp.lang.python' WHERE 7629=7629 AND 5482=CONCAT...-data.db3
DOVE-Net.Synchronet_Announcements ORDER BY 3123-- fnTQ-cache.txt

If you find such files, your system has been compromised.
🎯 ATTACK TIMELINE

     May 2024: First evidence of SQL injection attacks
     May 2024 - June 2025: Continuous automated exploitation
     March 2025: Retro Guy's system was under active attack during his 
final months
     June 2025: Vulnerabilities discovered and documented

💾 DATA AT RISK

Potentially Compromised Information:

     System/Web configuration files and encryption keys
     All newsgroup content and user messages
     User account databases and authentication data
     SSH credentials and server access
     Email addresses and user metadata
     Any sensitive data accessible to the web server

🛠️ IMMEDIATE REMEDIATION STEPS

Emergency Shutdown

# Stop web server and NNTP service immediately
systemctl stop apache2 nginx

Evidence Preservation

# Backup current state for forensic analysis
tar -czf rocksolid-incident-$(date +%Y%m%d).tar.gz /var/spool/rslight/

This vulnerability was discovered during a digital preservation effort 
following Retro Guy's passing in March 2025.

The path traversal vulnerability was used to rescue valuable community 
data from the rocksolidbbs.com server.

-------------------------------------------------------------
-------------------------------------------------------------
-------------------------------------------------------------


-- 
.......
Billy G. (go-while)

Back to news.admin.peering | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Is Rocksolid Light really compromised and insecure? Anonymous <anon@anon.anon> - 2025-07-12 10:21 -0500
  Re: Is Rocksolid Light really compromised and insecure? Marco Moock <mm@dorfdsl.de> - 2025-07-12 20:55 +0200
    Re: Is Rocksolid Light really compromised and insecure? Ray Banana <rayban@raybanana.net> - 2025-07-12 19:41 +0000
      Re: Is Rocksolid Light really compromised and insecure? Retro Guy <retroguy@novabbs.com> - 2025-07-12 20:15 +0000
      Re: Is Rocksolid Light really compromised and insecure? Soul Patch <soul.patch@127.0.0.1> - 2025-09-02 16:26 -0500
        [addendum] Re: Is Rocksolid Light really compromised and insecure? Soul Patch <soul.patch@127.0.0.1> - 2025-09-02 16:37 -0500
          Re: [addendum] Re: Is Rocksolid Light really compromised and insecure? "Billy G." <contact-5c2e-000@pugleaf.net> - 2025-09-03 00:44 +0100
    Re: Is Rocksolid Light really compromised and insecure? Soul Patch <soul.patch@127.0.0.1> - 2025-08-04 18:23 -0500
      Re: Is Rocksolid Light really compromised and insecure? Marco Moock <mm@dorfdsl.de> - 2025-08-05 20:14 +0200
  Re: Is Rocksolid Light really compromised and insecure? "Billy G. (go-while)" <no-reply@no.spam> - 2025-07-22 09:59 +0200
    Re: Is Rocksolid Light really compromised and insecure? doctor@doctor.nl2k.ab.ca (The Doctor) - 2025-07-22 14:36 +0000
    Re: Is Rocksolid Light really compromised and insecure? Kyonshi <gmkeros@gmail.com> - 2025-07-26 17:06 +0200
      Re: Is Rocksolid Light really compromised and insecure? Marco Moock <mm@dorfdsl.de> - 2025-07-26 17:49 +0200
        Re: Is Rocksolid Light really compromised and insecure? "Billy G. (go-while)" <no-reply@no.spam> - 2025-07-26 22:31 +0200

csiph-web