Reiki Music. Video Marketing

I’m not sure how I am supposed to avoid sounding like a moaning mini or panic munger, but when something is WRONG, something IS wrong, right?

Now don’t get me wrong. We ALL make mistake and with Internet security there is always some bored mafia kid who wants to break what we work for incredibly long hours to create.

So my issue is not that a mistake was made, but that no remedy has been taken to fix it. AFAIK anyway. And not telling me seems equally bad if it has.

I bought a software product from a renowned Internet marketing development company.

It basically worked, which is always a great start, but then I noticed something. The configuration file, which housed all the database connections including the database password, was PLAIN TEXT.

You don’t have to be technical to know that a plain text file can be read by anybody.

So all someone needed to do was type in yourdomain.com/CHANGEDTOPROTECTUSERS.ini and your database security is severely compromised!!!!

I contacted their support dept and within under 60 hours I have a “refund” but no explanation. No fix. Nopatch. No apology. No thanks for pointing that out, we will recall them all and fix it.

WTF?

When you consider this is from the same company that creates a $2,500 per month JV manager system, I start to get concerned.

No doubt this is some $67 piddly product they do not care about in the least, but this just seems totally unprofessional to me. Not the security mistake (though it isn’t one you’d expect to be made by any non yts programmer) but their handling of it.

Of course with the Internet being a huge excuse for anonymity and privacy I can not ask Mr John Delavera if he even knows what his company is doing. Hope you get to read this John!

I hate to be alarmist, but this company sell probably 100 different scripts like this!

So if you have a file in your package ending with an .INI (or .TXT) extension, PLEASE get someone who knows programming to look at it, or just send it straight back for a refund.

Now some people are just going to say this is sour grapes from one developer to another much larger one. Believe that if you will, but do NOT compromise your own internet security by not looking for that .INI file in what you have brought from these people!

I apologise that I have had to expose and highlight this security issue and at the same time arm crooks and vandals with the method to do it, but there is no other way, and this is the method used by security specialists all over the internet, to expose mysql injection threats. Well the database password is RIGHT UP THERE in my book!

As they used to say in the cop show “Let’s be careful out there”.
Peter