[Complaint/Warning] Nucleus market uses an insecure version of the PHP framework Laravel

Why are so many market admins making no effort to hide the framework they are using? It is no wonder why people stick with Agora despite the downtime, at least they are not amateurs.

It is trivial task to then look up CVE details on that framework and just test every vulnerability until one is found works and determine the version.


Comments


[9 Points] DNMd:

Yeah it's pretty fucking sad that a skript kiddy could plug away on google and actually do some damage here. You'd think market admins would care about security, but in my opinion this goes to show that many don't care at all. Why? Perhaps because they know they won't be around in 4 months time.


[10 Points] None:

[deleted]


[3 Points] IngrownHairs:

I certainly missed the Laravel references the other day. That's so bad. Why any single person would ever go through the effort of opening a market and NOT clean up after themselves blows my mind.

The OP is right, once you know what software is being used, it's only a matter of looking up that software to figure out the weaknesses. And, with Laravel being open-source, relying on Composer to manage 3rd-party vendor dependencies - these all represent potential vectors of attack and the properly motivated attacker would go as far as to create a vulnerability in those software packages.

I mean, just reading about Composer for a brief minute, there was an issue back Feb '14 where malicious forks of any frameworks/libraries could be published and unknowingly downloaded by a developer - so two vulnerabilities right there - file inclusion and execution. Granted this issue in Composer was fixed.

Either way, it's incredible to think someone would have the skill and knowledge to open a Tor market, but seemingly fall short with securing their ship. It's almost as if they wanted to get out in the water so quickly they just gave up with that part - that can keep them from sinking. Must not value self.

EDIT: "vendor dependencies" may be bad wording for here, not vendor as in market vendor, but vendor as in software vendor.


[2 Points] None:

https://labs.mwrinfosecurity.com/blog/2014/04/11/laravel-cookie-forgery-decryption-and-rce/


[2 Points] Doormemas:

F20 ki k me- Layla508


[2 Points] Vendor_BBMC:

You're good at this, H4C


[2 Points] Kazaa99:

It actually is something to wonder about. Agora is coded terrible. Most likely using same platform as the other markets. The reason for the downtime is not influx of users, but rather a terrible server and database setup that keeps failing and site has to be taken offline to fix.

Agora never comments on any downtime or errors, and the chance of the site having been hacked several times are pretty high. The "security first" excuse when site goes down, are used a little too much. But it is the best excuse there is because everybody falls for it.

People always say that the downtime is ok because they know that it will always pop up again, but one day it won't, and then it will be terrible to have been one of these Agora fanboys with all their money stuck there.


[1 Points] DrinkingAndFighting:

Someone need to write an open source anonymous bitcoin marketplace, specifically for the darknet, that comes with deployment instructions so that you can instantly get set up.

It shouldn't be using PHP, but it should use a lower level language like C so it can get much bigger before it has to scale.

I'd like to see a site could operate without a browser, so simple that a tech savvy person could write cURL requests to buy things in it.


[1 Points] ciphersexual:

Are you /u/hacksforcrack also /u/haxforcrack, the OP of the Middle Earth thread? If so, why did you change your reddit user name?


[1 Points] Alex4921:

Is this indeed the amateur hour of DNM's?

The pro SR1 is long dead,it's a bunch of hotshot kids now


[1 Points] WhyDoIneedAname123:

So what does this mean to us?

If PGP is used, and coins are not stored on market, it should not affect us?

Will it leak any personal information?


[-2 Points] None:

[deleted]


[-7 Points] DancingWindAway:

At least they remove their exif data ;) Can anybody confirm this accusation ? The OP only made 2 posts one about ME security being shit and this one, looks like shill and FUD for agora until confirmed.