From Newsgroup: comp.security.misc

In article <687f44fc$0$61204$882e4bbb@reader.netnews.com>,
Billy G. (go-while) <no-reply@no.spam> wrote:

On 12.07.25 17:21, Anonymous wrote:

Some have claimed that Rocksolid Light is insecure. They have claimed

that there are many vulnerabilities in the codebase. They have claimed
that Rocksolid Light should not be used or peered.

Yet I have not seen a single supposed vulnerability demonstrated.

I have not seen any CVE filings.

Can anyone demonstrate and prove any of the claimed exploits?

Where would I find such proofs?

Yes and if anyone is still running [rocksolid / rslight] (PHP):

1. Turn it off!
2. Backup /etc/rslight and /var/spool/rslight folders!
3. Do NOT delete any configs or data!
4. Wait for pugleaf.net open source release!
5. Import to new software and be happy!

If you don't want to turn your rslight off...
Deny access from public and use it locally only.

The path traversal vulnerability was used to rescue valuable

community data from the rocksolidbbs.com server.

Works on all other domains too and there is nobody to install a patch.. >Passwords are already leaked... kids found the way in...

That's not the only vulnerability but i won't publish any more details.

We'll see how long his servers and sites keep running.

Domain expiry = end of life for the sites

novabbs.com / novabbs.org / novalink.us will expiry in jan/feb 2026. >rocksolidbbs.com in end of nov 2025 and i2pn2.org end of the year 2025.

Maybe there is credit... but if not ...

... RIP Retro Guy ...

https://github.com/go-while/rocksolid-light/blob/claude-sonnet-4-test2/Rocksolid_Light/CRITICAL_VULNERABILITY.md

https://github.com/go-while/rocksolid-light/tree/claude-sonnet-4-test2

https://github.com/go-while/rocksolid-light

🚨 CRITICAL SECURITY NOTICE

This codebase contains multiple critical security vulnerabilities and is
no longer under active development.
Status: DEPRECATED AND UNSAFE FOR PRODUCTION USE

Path Traversal Vulnerabilities: Complete file system access possible
SQL Injection Attacks: Database compromise via multiple vectors
Input Validation Failures: User input processed without
sanitization throughout
Legacy PHP Anti-Patterns: 20-year-old vulnerable coding practices
Architectural Security Flaws: No security boundaries or privilege
separation

Evidence of Active Exploitation

This codebase was actively compromised for over 1 year (May 2024 - June >2025) with evidence of:

Automated SQL injection campaigns
File system pollution via malicious newsgroup names
Systematic database content extraction
Hundreds of attack artifacts preserved in the filesystem

Why Development Has Stopped

After comprehensive security analysis, this codebase is beyond repair:

50+ distinct attack vectors across all major components
No security architecture to retrofit modern protections
Interconnected vulnerabilities where fixes create new problems
Legacy dependencies that prevent meaningful security improvements

📧 SECURITY ADVISORY FOR ROCKSOLID LIGHT ADMINISTRATORS
Subject: CRITICAL SECURITY VULNERABILITIES - Immediate Action Required

To: RockSolid Light Administrators From: Security Research Team Date:
June 20, 2025 Severity: CRITICAL

🚨 EXECUTIVE SUMMARY

Multiple critical security vulnerabilities have been discovered in
RockSolid Light installations,

with evidence of active exploitation spanning May 2024 - June 2025.

Any RockSolid Light instance running during this period should be
considered potentially compromised.

⚠️ IMMEDIATE ACTION REQUIRED

You are running RockSolid Light:

Take your installation offline immediately
Audit your system logs for suspicious activity
Check your spool directory for unusual files (see indicators below)
Consider your system potentially compromised
Do not restart without applying security fixes

🔍 VULNERABILITY DETAILS
Primary Vulnerability: Path Traversal (CVE Pending)

File: /var/www/html/spoolnews/files.php
Impact: Complete file system access
Exploitation: Active attacks documented since May 2024

Vulnerable Code Pattern:

// files.php - Critical path traversal
$getfilename = $spooldir . '/upload/' . $_REQUEST['showfile']; >readfile($getfilename); // NO PATH VALIDATION

Attack Vector:

Attacker extracts site key from HTML form
POST request with malicious showfile parameter
Can read any system file accessible to web server
Enables extraction of SSH credentials, database contents,
configuration files

Secondary Vulnerability: SQL Injection via Newsgroup Names

Impact: Database manipulation and file system pollution
Evidence: Hundreds of malicious database files found
Attack Method: Injection through NNTP protocol and group name
processing

🕵️ COMPROMISE INDICATORS

Check your spool directory for files with suspicious names:

# Look for files containing SQL injection patterns
find /var/spool/rslight -name "*CASE WHEN*" -o -name "*SELECT*" -o -name >"*UNION*"
find /var/spool/rslight -name "*ORDER BY*" -o -name "*CONCAT*" -o -name >"*CHAR(*"

Example malicious filenames found:

(CASE WHEN (2018=4830) THEN 'newsgroup' ELSE SELECT...)-data.db3 >comp.lang.python' WHERE 7629=7629 AND 5482=CONCAT...-data.db3 >DOVE-Net.Synchronet_Announcements ORDER BY 3123-- fnTQ-cache.txt

If you find such files, your system has been compromised.
🎯 ATTACK TIMELINE

May 2024: First evidence of SQL injection attacks
May 2024 - June 2025: Continuous automated exploitation
March 2025: Retro Guy's system was under active attack during his
final months
June 2025: Vulnerabilities discovered and documented

💾 DATA AT RISK

Potentially Compromised Information:

System/Web configuration files and encryption keys
All newsgroup content and user messages
User account databases and authentication data
SSH credentials and server access
Email addresses and user metadata
Any sensitive data accessible to the web server

🛠️ IMMEDIATE REMEDIATION STEPS

Emergency Shutdown

# Stop web server and NNTP service immediately
systemctl stop apache2 nginx

Evidence Preservation

# Backup current state for forensic analysis
tar -czf rocksolid-incident-$(date +%Y%m%d).tar.gz /var/spool/rslight/

This vulnerability was discovered during a digital preservation effort >following Retro Guy's passing in March 2025.

The path traversal vulnerability was used to rescue valuable community
data from the rocksolidbbs.com server.

------------------------------------------------------------- >------------------------------------------------------------- >-------------------------------------------------------------

--
.......
Billy G. (go-while)

Must be rectified!
--
Member - Liberal International This is doctor@nk.ca Ici doctor@nk.ca
Yahweh, King & country!Never Satan President Republic!Beware AntiChrist rising! Look at Psalms 14 and 53 on Atheism ;
All I want to hear from JEsus Christ is WEll done Good and Faithful servant
--- Synchronet 3.21a-Linux NewsLink 1.2