MAJOR Exploits published - Devs please act urgently

I found a serious exploit published on the 20th of November 2016. The site is easy to be found, so I decided to remove the link.

Netmake were made aware of it in October this year, and they were given over a month to fix it. Because they were unresponsive it was made public according to the logs. I can confirm some issues are still not fixed in the latest version. These are SERIOUS issues. Unfortunately those modules used in the article are encrypted, which mean there is no way for us to fix it ourselves.

In a nutshell, it allows a user to start any app on your server, thus allowing them to add users etc. I have tested it, and unfortunately it is still very much broken. It execute the program, and it will only appear under Task manager and won’t pop up. But it still successfully execute.

This seems to be true if you have Scriptcase installed on a public accessible machine. Can we get confirmation that published applications will NOT suffer from the same issue??

What the heck!!!.

I was just about to extend my subscription using the Black Friday Promotion.
this news came just in time to help me decide not to renew my Scriptcase.

Scriptcase fix your bugs immediately or else you will be hearing from my customers legal teams.

Your software will be held responsible for any data or security breaches.

You have been warned.

Please don’t let the Black Friday deal slip. Part of my day job is scanning security advisories, and to make sure my company takes any issues on their product, or dependent products seriously and apply patches. Since I bought SC I also expanded my search to include it as well.

There are ways to prevent it on Linux and Windows, but you need to limit access and not let “Everyone” have access to the devel. The main issue is if Scriptcase itself is installed publicly (The dev environment). It seems if you only publish the app the same exploits doesn’t apply. But for those who have scriptcase itself running on a public server for development, please take security measures since this exploit is serious.

Unfortunately most developers will install Scriptcase without checking privileges, assuming the install handles it all. I had the same on many other dev tools. To be fair, they inform the vendors and give them time to fix it before taking it public. But as I have said Scriptcase is not the only one who takes too long to fix these, there are much worse.

From the logs it does seem that a video were requested by the devs, then communication died off.

Well, that’s the main issue with Scriptcase.We too have reported security issues, even within the generated applications, made contact between scriptcase and our security board but after that things die. I have repeatedly emailed John Lennon and Marcia, but they simply don’t respond. If I use chat then Marcia is always in some meeting and I get some email back, but the organisation tends to learn very slowly. In fact, as soon as you think you have made two steps forward, it appears that you have done two steps backwards…

We have fixed the issues by applying custom code, but most issues are by scriptcase design.

For those of you who are running SC on a public server, make sure that the firewall will only let your ip through.

It does not matter to me or my development team as the new release9 roadmap does not have mobile related enhancements, so i will give it a pass this time around.
Renewing for a 10 user license is not cheap.

Moreover most of our work is custom coded using either control or blank applications.
There are too many issues in scriptcase for which we are working around.
At the moment i have a lot of support cases that have not had any decent solution from Scriptcase.

If you dig around in the production libs (shipped by Scriptcase) you will find a lot of samples/examples from the library vendors that are open to exploit.
I have to make sure for each release i maintain my own production libraries.

At least you need to be using sessions instead of post and get. That should reduce some of them. Or in the case of post and get add encryption and/or some secure crc checking.
And the occasional % filtering and ’ or " filtering…
I am interested in the exploit you find tho. Basically to see if we over here have covered them or more importantly if we missed them… On the other hand that is a subject that should not be on the forum since every one then can find the info and exploit scriptcase applications…

Just my view…

I agree with rr. We too have a 10 user licence.

I will PM you the link, since I decided not to include it on the forum. Take note that I think if it was published on public advisories outside this forum it is something that I think we do need to discuss here.

@beltzaser I will look into this.

After reading carefully I think I fixed this issue, and the problem was because only where SC was installed.
No harm can happen to the published apps. (If by any means I am confusing myself i’ll come back here and let you all know)

Yeah, i’m checking all the issues, I have fixed some of the problems, but not all.
We will analyze this and we’ll give you guys feedback on those issues when they’re fixed.

I see many users (or I should say majority) is not using SC Security Module because of limitations, bugs and exploits, so why include this module in SC. Remove it ans spend your time on something that you can make really work. I have had a testing project put on a web server along with CMS system and the whole CMS along with the SC Project got compromised. The hacker was working on it for about 2 months. I tried to protect it but I could not prevent it completely. At some point everything got messed up. Fortunately it was not a production server or project so there is no big loss. I was just watching how long it takes to break into my SC Apps. I’m not a hacker and do not even know the methods but was getting some messages from the server about the exploits and all kinds of SQL injections. There are some tools to prevent this but most of them cost $50+ /month which I’m not ready to spend. So SC itself as a development platform (on the server) is one issue but the Projects uploaded to the server are not safe and there should be more tools provided. Moreover if the bugs are fixed as they supposed to be every project would be more secure.
I also did not use Black Friday promotion as I am not sure if I will use SC in the feature. There is simply to many problems and company attitude is just unacceptable. We see numerous complaints about company service and support and despite of that nothing changed for the last 3-4 years. To be honest I do not believe it will change soon, it is just their philosophy and attitude. This feels like a parent/child relation. The PARENT always knows better, no matter what child wants, parents will always do their way…
Better yet if you complain to much you get warnings - what a joke

The only reason I’m still on this forum is that I have some projects which need to be somehow maintained. Unless I see any dramatic change in SC attitude and bug management I do not think I have a bright future working with SC. Let’s wait and we will see what next months bring into the table…

Art

Thank you for responding here.I have PMd you the details. And yes, this is only an issue if you have Scriptcase on a public server. There is a way around it on a Linux server though, but you need to understand how to secure folders and how to set up htaccess.

No problems mate. I’m checking those issues as you are aware. This topic is a bit old, and as I told earlier we have identified some of the exploits earlier.
I’ll let everyone know here when the fixs are ready.

@aka Thanks for trying to participate here, I guess you know nothing about what we are discussing since your words made no sense at all.
This has nothing to do with the Security Module from ScriptCase, which by the way has no problems.

Also the generated apps, as far as we know, have no problems. It had some in the past that could be exploitable. Although this was fixed some months ago.
The problems we’re talking about are happening in the interface.