Quote from Rip Off report

Ran into this nice site which explains a lot :) Read and weep..

-------
On October 23, 2007, I purchased the Subdreamer CMS (Content Management System) from Subdreamer, LLC.

The issues came about when on October 26, 2007, a Subdreamer user (Mr_Bob) posted a major security vulnerability in the software.

http://www.subdreamer.com/forum/project.php?issueid=79

This vulnerability allowed anyone to post comments on articles. The problem, from what I can tell of the coding, is that the Subdreamer team failed to write coding to check to make sure that whom or whatever was posting had permission to do so. On November 3, 2007 I submitted a support request to officially notify Subdreamer of the issue. A few days later I received a response from Brent (Subdreamer team member) stating that they were validating the issue.

I posted some coding that I wrote and worked for me. I posted under the handle krackerjax. Unfortunately, the coding did not work for everyone. Even the owner (Ziad) stated it was incorrect and the correct coding would be posted right away. Well, two weeks later and this coding has yet to be released.

As you can see in the post, Brent has a very relaxed and carefree attitude about the vulnerability. Brent has what is called false security. I guess he thinks just because a few people on the company forums know about it that no hackers or malicious users will ever discover it. Even if they do discover it, to Brent there is no major damage.

There are actually a few things that a malicious user can do:

- Posting of inappropriate comments. What if one of your customers are using SD for a school or church website. What do you think will happen when they get spam comments posted on their articles that are pornographic or spams related to Viagra?
- Posting of a URL to a spoofed website. From national banks to MySpace. These types of accounts have been compromised by people blindly entering in their personal information after clicking on a spoofed website.
- Posting of a URL that leads to a website which may compromise their system using a variety of vulnerabilities in the Windows Operation System as well as software run on Windows.

These are the ideas that come to mind from just a security-conscious person. I can only imagine what some malicious user can think of. In the end, Subdreamer has decided to wait until the next release to fix this problem. I consider this completely unacceptable. Why can't they release an official patch? Why did it take them almost a month to 'Confirm' this vulnerability? Why did Ziad ignore my emails about this issue?

Another problem I have noticed with Subdreamer, besides them ignoring customers, is that they delete posts so that they don't look bad. On quite a few occasions I have posted not only about this security issue, but their use of false advertising and deceptive trade practices.

Subdreamer advertised that when you purchased Subdreamer Pro you would get 6 months of free hosting. In a way that's true. In a way it's not. You get the 6 months free, however, you must sign up for 1 year of hosting and then pay for the other 6. If you sign up for 3 or 6 months, you are charged a $29.95 setup fee. They never stated this with a little * or any other symbol to indicate that there are special terms.

I mentioned in this in the forums and ended up getting one of my replies deleted twice.

http://www.subdreamer.com/forum/showthread.php?t=10516

In this post, I commented about the details of this matter. One of my posts (below in quotes) was deleted twice. I thought at first maybe my computer was messing up and it didn't post it in the first place. That's when I decided to make sure my post was up there before I closed down my browser.

'[QUOTE=Brent]The requirement to register yourself and subscribe to a given term is to verify that you are a legitimate and interested consumer in their services/product before giving you something for nothing. This is a normal procedure.[/QUOTE]

The fact that a person has taken the time to purchase subdreamer and sign up for the hosting should be some indication of a legitimate interest. The partial statement of '...giving you something for nothing.' in reference to somehing for 'free' is completely contradictory. If something is free, then it's free. There are no fees attached to is.

If actions like this are normal procedures, then such 'procedures' are what the FTC considers 'false advertising' and 'deceptive trade practices.' '

It seems that Brent or another Subdreamer moderator deleted that post. After all, that makes Brent and Subdreamer look bad. I have talked privately to another user and have been told that it is not uncommon for Subdreamer to delete people's posts that they don't like.

Today I sent off a letter to the address listed on Subdreamer's corporate listing in the Florida Corporate Database. I did find something odd.

Firstly, if you do a WHOIS on Subdreamer, you'll notice they don't give a valid phone number. Below is the information given:

Hilal, Ziad
Subdreamer
2139 NW Cedar View Ln
Portland, Oregon 97229
United States
5031111111 Fax --

The area code/prefix does not correspond to any phone numbers. It's just false number typed in. Next is the address of Portland, OR. That address traces to some female, not even with the last name of Hilal.

Then, on the corporate filings, there are three addresses listed. It shows Ziad Hilal as being located in Santa Monica, CA (even though the WHOIS information showed Portland, OR):

HILAL, ZIAD
960 3RD ST
SANTA MONICA CA 97403

Another address lsited on the corporate filings is that of someone with his last name. possibly a relative:

HILAL, ALICE
7302 DUNES COURT
BRADENTON FL 34202-5137

The official address listed on their website is:

8374 MARKET ST
447
BRADENTON FL 34202-5137

It all seems pretty fishy to me. I guess they figure that since they have such a 'wonderful' product that they can treat people like dirt, censor them so Subdreamer and their staff don't look bad, and simply ignore major security issues. I sent a letter today to their corporate office requesting a full refund. If I don't receive one then I will be filing complaints with the FTC, BBB, and Florida Attorney General's Office.

I am in the process of migrating over to a free open source CMS. It has nothing to do with cost, it just has to do with preference.

My only suggestion is that if you are thinking of using Subdreamer, then think again. The company is very questionable in my opinion, they don't act upon serious issues, and when you try to raise your voice about these issues, they censor you.

Nicholas
Morgan City, Louisiana
U.S.A.
---------------