CjOverkill 2.0.2 has been released today in order to fix a severe security bug that allows any malicious webmaster to steal traffic, admin credentials and insert malicious code into the targeted site.



Other products vulnerable to this kind of bug are:

TTT, CjUltra, Traffic Drive (all these tested).
Also could be vulnerable EPowerTrader, but I did not get a copy where to test this one.

These scripts creators have 24 hours to contact me for the bug report and proof of concept code (for $100 on paypal). Or to whoever who wants it during the next 24 hours for $150 on paypal too. After these 24 hours the bug report will be available for free to any of my private security database subscribers and any other admin or webmaster who wants to pay $50 on paypal for that.
After several days and the big part of the sites using these scripts get fixed the exploit code will become available to whoever requests it (with testing and research proposes) for $25 or for free (still not decided).

Bug Allows:
Only using a browser and very little knowledge, to steal traffic, put a popup or any other code.
With a bit of more knowledge, steal the admin auth credentials and access to the admin area.

NOTE: no info will be disclosed during the next 6 or 12 hours untill all the CjOverkill driven sites upgrade their version.

For blames, screams or other stuff contact ICQ: 171216535

Give that bit of info to anyone and your going to pay with all you have little boy you been warned. :mad:

The info is already in my security database service. It's available only for security auditors.
As promised, 24 hours have passed and all my active clients have upgraded.
The full info will be available for public use untill all the security auditors using my database get all their clients fixed or untill a prudential period of time has passed.
Anyways, we are working on an extensible sanitization solution to prevent this kind of stuff to happen again.

After seing all the blames around, next time no anouncement will be published.

Have a nice day :)