MBuilder - Premium Email Builder Extension For Mailwizz
- Thread starter Allante Johnson
- Start date
Jatin Sahani
Active Member
We have already fixed it and we got aware of such a hole by our customers only i thought this hole was in our latest version which is not yet publicly released, Our developer will test it first thing in the morning and we will provide a patch right after that, request you guys to disable Mbuilder for now to prevent him from hacking it again.
Thanks, Apologies for the inconvenience.
Thanks, Apologies for the inconvenience.
Jatin Sahani
Active Member
Thanks for the info on our support system, we never got any customer feedback that he/she is getting all the info of other users via new tickets. We will investigate this bug/issues also, tomorrow first thing in the morning.
Thanks once again.
sendmedialtd
Active Member
Jatin Sahani
Active Member
Thanks buddy, yes we fixed it but i thought this was there in our new latest version which we haven't even released publicly. We will release the patch tomorrow for sure, Guys again i will request you to disable the Mbuilder extension for now. Also if you need help in getting back into your backend let me know via PM.
Thanks
Jatin Sahani
Active Member
Yes, but this was with our latest version which is not publicly released, none the less we will release the patch tomorrow for sure, as its 12+am at the moment and my developer will test it once more and release the patch for all our customers.
Thanks.
sendmedialtd
Active Member
What date did he inform you?
Jatin Sahani
Active Member
As i told you above, i personally contact twisted for the latest version which is NOT released. He reviewed the code and told me about this issue, which my developer fixed but we haven't even released this version till now. Well now we have to release it for all our customers.
Also this hacker is well trained i assume as we don't know yet how he got all the details of our customers and there mw installations.
We are not strong at hacking protection please lets not create a scene here now, even big companies get hacked all the time, i understand the issue at hand as its very late here i personally can't do anything until tomorrow once i reach office, as i will push my developer to test this hole once more and review the code once more and then we will push the patch tomorrow only.
I can provide steps via PM to any one who got hacked and needs to get back into his backend panel. Also again i will request all our customers to disable the extension for now and change the backend passwords and Database passwords as well.
Thanks
Stanley Ukadike
Member
It is also important to check that the attacker did not leave traces of the backdoor used in the attack. I had to do a comprehensive scan of the entire website and found the php file that orchestrated the attack. I used Gravity Scan for that. Also looking at the notifications at mbuilder support i realized that Roldan Thalia created a support ticket same day he performed the attack. Which means @Jatin Sahani has his details. Why not inform the devs about the vulnerability? Why go ahead and do the exploit?
sendmedialtd
Active Member
Yes but when did he tell you? I'm sure @twisted1919 will confirm the date.
The problem is you've been sitting on a security issue which you said was fixed but failed to roll it out. Why? You say because its on a new version but surely when you know about a HUGE security issue which has compromised many MailWizz customers who have purchased your plugin and possibly had all their data stolen that you would do an updated release of the CURRENT version straight away with the fixed security issue.
If the hacker was able to upload a PHP File Manager which is what iv read then that means he's been able to access ALL files on the domain including viewing Config settings for MySQL. So all the hacker needed to do was remotely connect to the database and download/steal all the data or if that didnt work due to Remote MySQL Security settings then create a simple PHP script to export all the data and upload it using the file manager he uploaded in the first place.
You cant just sit there knowing about a security issue and say "Right ok so we've had the issue fixed, but i tell you what, we wont issue an update on the current version, we'll wait until the new version is fully ready and HOPE that no one notices the security issue".
With you saying your not strong at hacking protection makes me never want to trust (especially now) your plugins. I mean I can code in PHP and if i was to ever make a plugin like this which involves people uploading files i dont understand how you didnt code it so no harmful files can be uploaded such as PHP files and code it so only files such as jpg, jpeg, gif, png are accepted. I understand theres security issues with some big web based programs including WordPress but the thing that gets me is how could this have been coded in a way to allow ANY file to be uploaded, and the time its taken to release a patch to fix the issue.
Makes me think if all this didnt come to light how much longer people would of had to wait in order to patch the security issue....
All this could have avoided if you just released an update for the current version with the fix.
Jatin Sahani
Active Member
We have released the update via our backend for all our existing customers. Which includes fix for that security hole also.
Thanks
Thanks
Carlos Martinez
New Member
Hello, I think that security problems like these are normal, the thing is that Mbuilder developers who are going to start doing so that this does not happen again, expect response from them.
Stanley Ukadike
Member
@Jatin Sahani I still receive email notification for support tickets created by other users. Please fix your support platform. It gives away too much information.
Jatin Sahani
Active Member
Yes we have already created a new support system, and we are launching our extension on envato now, we have already submitted to codecanyon. So in few days times you won't receive any email from our current support centre.
Thanks for reporting again.
This is how our new support looks like now :-
Last edited:
Ricardo Hidalgo
New Member
Hi @Allante Johnson and @Jatin Sahani ,
You are still developing and selling mBuilder? Or maybe they're on vacation in the Caribbean?
I bought a license two days ago. I have received NOTHING. I have sent you several emails, written from the contact form of your website, from your web chat,... And I don't receive a reply!
Do you guys have a problem? I don't understand a customer service that bad.
You are still developing and selling mBuilder? Or maybe they're on vacation in the Caribbean?
I bought a license two days ago. I have received NOTHING. I have sent you several emails, written from the contact form of your website, from your web chat,... And I don't receive a reply!
Do you guys have a problem? I don't understand a customer service that bad.
pensareweb
New Member
Hi,
we get this error on saving email on editor
jquery.min.js:4 POST http://mydomain.com:9000/compile net::ERR_CONNECTION_REFUSED
and it doesnt save
Have someone a fix?
Regards
we get this error on saving email on editor
jquery.min.js:4 POST http://mydomain.com:9000/compile net::ERR_CONNECTION_REFUSED
and it doesnt save
Have someone a fix?
Regards
Allante Johnson
Member
Please relax we are moving our systems over to envato with a new support panel , everything will be up again soon.
Allante Johnson
Member
Hi, please open a ticket and we can take a look at the issue.
Allante Johnson
Member
Hi unfortunately the Caribbean island was hit by a huge hurricane so i dont believe anybody is on vacation there.
Let me check for your license, Have you already opened a ticket? w
we have a new support system we will be launching very soon.
pensareweb
New Member
yes, I do it https://support.mbuilder.co/client/view_ticket/74
Please, I need also the
because the link on the email you sent me il broken.