URGENT: Upgrade Your Prosper202
Well, it looks like there’s an sql injection vulnerability in prosper202 up to version 1.1.1. If you’re running the prosper202 software, you need to go upgrade to the latest version. READ THE INSTRUCTIONS HERE first, before going to the download page and getting the latest version.
This is very serious as some douchebag has been going around stealing peoples campaigns and rooting their servers. Apparently there is an affiliate who’s known about this vuln for a week or two at least and when asked to report the bug to Wes, he decided instead to keep it for personal benefit and give it out to his friends instead. A giant FUCK YOU goes out on behalf of nickycakes.com and probably many others. The respect you would have earned by doing the right thing far outweighs any tiny ass profits your buddies made. You know who you are.
In any case, Nicky’s stuff doesn’t seem to be hacked and is all patched up now.
Since the new version is open source, you can now do some fun stuff with the software that was more difficult before. For example, if you’re like Cakes, you may have mis-named some of your traffic sources which make them show up as a question mark in spy view. You can now go into the 202-config/functions-tracking202.php file and change the regex responsible for deciding which icon to use, as well as add new ones for traffic sources that aren’t by default included.
see everyone in ny
Glad they caught it before too many people got hit by this guy. I think I was a target, as I saw some “site: http://www.domain.com” searches in my logs. They were looking for p202 installs.
Its time to get a fully working SSL version installed, as I believe most search engines wont try to index https sites.
If you know the douchebag he should be exposed. Who is it?
anyone looking to “harden” their prosper202 install, I just did a pretty lengthy post with some suggestions:
http://masterlesssamurai.com/ppc/tips-tricks/prosper202-self-hosted-apps-10-best-practices-to-securing-your-prosper202-installation/
“…and when asked to report the bug to Wes…”
I’m not taking sides here, and obviously don’t support stealing people’s campaigns. However, why would someone ask someone else to report it? If you want shit done, do it yourself. If I had a problem I wouldn’t go telling other people to report it for me. If I have an issue, I handle it myself.