| Author |
 Topic  |
|
|
BarbMcG
Starting Member
USA
10 Posts |
 Posted - 20 September 2013 : 14:01:48
|
Since Snitz hasn't upgraded in eons, I need to convert my forum to another one. Snitz is so old that it's jeopardizing my sites ability to run credit cards!! And I'm running out of time to comply!
We've tried dozens of ways to convert with phpBB converters. (trying not to lose posts, Data, etc)...we even fired up an old server with old software...still no luck.
Does anyone out there have any suggestions? I'm stumped at this point. I can just upload a brand new forum, but I really hate to lose everything and start from scratch. And our members would not be happy- the posts contain a lot of info important to their jobs.
I'm about to buy and try vBulletin...has anyone had any luck with this? Any suggestions or help would be greatly appreciated!!!
I'll even bake & send you a box of my famous chocolate chip macadamia nut cookies!!
Thanks,
Barb |
|
|
HuwR
Forum Admin
United Kingdom
20595 Posts |
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 20 September 2013 : 17:21:58
|
I second HuwR's opinion, there is nothing in Snitz that would prevent you from using credit cards.
Upgrade paths - HuwR is finishing a .net based option that will easy any migration. I think I have heard that vBulletin can upgrade from Snitz, not sure how easy or hard is it to do it. |
Snitz 3.4 Readme | Like the support? Support Snitz too |
 |
|
|
Webbo
Average Member
United Kingdom
982 Posts |
Posted - 21 September 2013 : 02:34:00
|
I'm not sure if the OP is refering to The Payment Card Industry Data Security Standard (PCI DSS)
https://www.pcisecuritystandards.org/
We had a website scanned to achieve certification for an online store (Snitz wasn't part of that website), and many issues kept cropping up such as the version of php that was on the server, password storing, time periods relating to cookie deletion, database security, etc, etc.
In the end it was near on impossible to achieve certification without employing outside help at an extortionate cost so we ran with the other option and that was paying an enhanced card merchant's fee.
Total rollocks when you look into it tbh, especially when you look at the recent hacking into and thefts from Barclay's Bank account holder accounts as being recently reported in the UK - if the banks themselves cannot remain totally secure what hope have the rest of us 'little people' ?
I appreciate some standards have to be maintained but just how far can a business go and still remain profitable |
|
|
|
Carefree
Advanced Member
Philippines
4217 Posts |
Posted - 21 September 2013 : 04:12:18
|
We prepare companies for compliance here in the Philippines, then bring in an outside auditor just to review and sign, instead of bringing an auditor here and paying for hotel/transportation, etc. for six months. That reduces the average cost by about 80%. Some of the companies here were quoted fees > 500K USD. We got them certified < 50K.
The age of software in use, though, has absolutely NOTHING to do with achieving PCIDSS compliance. If the software is secure, you'll pass. So what you need to do is to eliminate security holes by applying all security fixes. If the auditor detects a security hole, make us aware of it and we'll patch it immediately. If the auditor cannot find a hole, then Snitz will not stop your certification. |
|
|
|
BarbMcG
Starting Member
USA
10 Posts |
Posted - 23 September 2013 : 11:45:05
|
It is a PCI compliance issue. Since there are no security updates to the forum, it leaves what they consider a security risk to our servers...once they hack your servers...anything else is easy enough to get into.
Still seeking any info from anyone who has used vBulletin. Did it work? Did it move the whole of the Snitz forum? Was there data loss?
Thanks again,
Barb |
|
|
|
HuwR
Forum Admin
United Kingdom
20595 Posts |
Posted - 23 September 2013 : 12:10:11
|
quote:
Since there are no security updates
There are no current security updates to the forum because there are NO currrent security issues that we are aware of.
If any are found during your compliance testing then we would be more than willing to provide fixes if required, but just saying it is insecure because it is old or has no updates is just bollox, and if you do a quick search on Google you will notice that vbulletin has had many more security vunerabilities reported in the last few years than Snitz. |
MVC .net dev/test site | MVC .net running on Raspberry Pi |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 23 September 2013 : 13:51:49
|
I am an admin on a vBulletin board that had a zero day vulnerability very recently.
We are here and providing support as we always have been. I will provide / cooperate in providing any fix Snitz may need, as I am sure other Snitz members will.
Our code base has been stable for a long while, now, so it's not unexpected that no security bugs have been found and thus no security fixes have been provided. If your compliance audit found anything, do let us know, please. |
Snitz 3.4 Readme | Like the support? Support Snitz too |
|
|
|
BarbMcG
Starting Member
USA
10 Posts |
Posted - 24 September 2013 : 11:20:21
|
I am just telling you what the PCI people told me and I'm trying to either save the forum our customers love or find an up-datable, viable, compliant alternative.
Issue 1 of 2 detected by ControlScan:
ISSUE #1
Summary:
vulnerable Snitz Forums 2000 version: 3.4.07
Risk: High (3)
Port: 443/tcp
Protocol: tcp
Threat ID: web_prog_asp_snitzsqli
Details: members.asp SQL injection
01/11/11
CVE 2010-4826
CVE 2010-4827
Snitz Forum 2000 has multiple SQL injection and cross-site scripting vulnerabilities because it fails to sanitize input passed to "M_NAME" parameter in members.asp. Snitz Forum 2000 version 3.4.07 is vulnerable and other earlier versions may also be affected.
'X-Forwarded-For' SQL Injection Vulnerability
03/03/10
Snitz Forums 2000 v3.4.7 is prone to a 'X-Forwarded-For' SQL Injection vulnerability because it fails to sufficiently sanitize user-supplied data via the 'X-Forwarded-For' HTTP header before using it in an SQL query.
This vulnerability can be exploited to manipulate SQL queries by injecting arbitrary SQL code which could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Cross Site Scripting and HTML Injection Vulnerability
01/18/10
CVE 2009-4554
Snitz Forums 2000 is prone to a cross-site scripting vulnerability and an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied data.
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user.
SQL Injection Vulnerability
08/01/09
CVE 2003-0286
Snitz Forums 2000 v3.4.7 is vulnerable to a SQL injection vulnerability in register.asp and pop_profile.asp.
The vulnerable parameter is in the email domain field as it is used in a new security feature that allows
a look up against known spam domains. This variable is only checked to see if it contains the '@' symbol and
SQL control characters are not sanitized.
|
Edited by - BarbMcG on 24 September 2013 11:26:53 |
|
|
|
HuwR
Forum Admin
United Kingdom
20595 Posts |
Posted - 24 September 2013 : 11:39:19
|
all those issues are old and fixes have been issued for them.
They must have either pulled those issues from a google search and not actually tested them, or you have not implemented any of the security fixes that were posted for those vulnerabilities.
As I said in my previous post, There are NO current vulnerabilities that we are aware of. |
MVC .net dev/test site | MVC .net running on Raspberry Pi |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
AnonJr
Moderator
United States
5768 Posts |
Posted - 24 September 2013 : 14:56:03
|
| I bet they're just checking the version number and lists of issues for that version number... if it were version 3.4.08 it wouldn't be a problem. |
|
|
|
HuwR
Forum Admin
United Kingdom
20595 Posts |
|
|
HuwR
Forum Admin
United Kingdom
20595 Posts |
Posted - 24 September 2013 : 15:11:17
|
quote:
save the forum our customers love or find an up-datable, viable, compliant alternative.
You already have all that in Snitz, being given a list of out of date fixed vulnerabilities does not make it non compliant.
And as we have stated, if they do actually come up with a current vulnerability then we will issue a fix straight away. |
MVC .net dev/test site | MVC .net running on Raspberry Pi |
|
|
|
Carefree
Advanced Member
Philippines
4217 Posts |
Posted - 24 September 2013 : 22:47:53
|
quote:
Originally posted by HuwR
yes well doing a google search isn't what I would call security testing 
Very thorough results LOL. Look at the installed programs, check what others said about it and assume it's all correct. Yep, I know why that tester gets the big money.
Barb, I can run a vulnerability test from here for free. I will give you the basic results (identifying the number of issues, if any); and detailed results of anything involving Snitz. Just Email me the web site to test giving your permission for me to conduct it (that will keep the law off my back if someone suspects I'm trying to hack you.). |
Edited by - Carefree on 24 September 2013 22:50:41 |
|
|
| |
Topic |
|
