[14116] in bugtraq
Re: EZ Shopper 3.0 shopping cart CGI remote command execution
daemon@ATHENA.MIT.EDU (Marc)
Wed Mar 1 18:54:11 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <JEENLNLIMOLKDGAHKOCHEEIICNAA.marc@eeye.com>
Date: Tue, 29 Feb 2000 18:07:23 -0800
Reply-To: Marc <marc@EEYE.COM>
From: Marc <marc@EEYE.COM>
X-To: Alex Heiphetz <ahg@CVZOOM.NET>, BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <3.0.6.32.20000228124308.008ea190@cvzoom.net>
Sent via eMail? Funny you mention that. One of the last clients we did a pen
test on was hacked just the same way. Ya a nice spoofed eMail from Symantxx
telling them to update PcAnywhexx.
I guess the point I'm trying to make is that sending updates via eMail is
not the brightest of ideas. An eMail with a link to a file, on the software
vendors page, would be much better. Also no IT person should be running
"software patches" that were eMailed to them because who knows what exactly
is being "patched."
I don't know if EZ Shopper 3.0 has their patch posted on the web so this is
not necessarily directed straight at them but third party software vendors
as a whole.
Signed,
Marc
eEye Digital Security
http://www.eEye.com
"It is the years that blind you. Searching so hard for success you lose
grasp on the basic wonders of being alive."
-chameleon
| -----Original Message-----
| From: Bugtraq List [mailto:BUGTRAQ@SECURITYFOCUS.COM]On Behalf Of Alex
| Heiphetz
| Sent: Monday, February 28, 2000 9:43 AM
| To: BUGTRAQ@SECURITYFOCUS.COM
| Subject: Re: EZ Shopper 3.0 shopping cart CGI remote command execution
|
|
| At 09:42 AM 2/27/00 +0000, suid@SUID.KG wrote:
| >suid@suid.kg - EZ Shopper 3.0 remote command execution.
|
| <...>
|
| >Workaround:
| >
| > The vendor, AHG Inc, has released a fixed version, download it from
| > their website and install the fixed version.
|
| Correction: clients are notified and patch is being sent via e-mail.
| Help with installation offered.
|
| Regards,
| AH
|
