Re: EZ Shopper 3.0 shopping cart CGI remote command execution

[marc () EEYE COM (Marc)]

Sent via eMail? Funny you mention that. One of the last clients we did a pen
test on was hacked just the same way. Ya a nice spoofed eMail from Symantxx
telling them to update PcAnywhexx.

I guess the point I'm trying to make is that sending updates via eMail is
not the brightest of ideas. An eMail with a link to a file, on the software
vendors page, would be much better. Also no IT person should be running
"software patches" that were eMailed to them because who knows what exactly
is being "patched."

I don't know if EZ Shopper 3.0 has their patch posted on the web so this is
not necessarily directed straight at them but third party software vendors
as a whole.

Signed,
Marc
eEye Digital Security
http://www.eEye.com

"It is the years that blind you. Searching so hard for success you lose
grasp on the basic wonders of being alive."
-chameleon

| -----Original Message-----
| From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of Alex
| Heiphetz
| Sent: Monday, February 28, 2000 9:43 AM
| To: BUGTRAQ () SECURITYFOCUS COM
| Subject: Re: EZ Shopper 3.0 shopping cart CGI remote command execution
|
|
| At 09:42 AM 2/27/00 +0000, suid () SUID KG wrote:
| >suid () suid kg - EZ Shopper 3.0 remote command execution.
|
| <...>
|
| >Workaround:
| >
| >     The vendor, AHG Inc, has released a fixed version, download it from
| >     their website and install the fixed version.
|
| Correction: clients are notified and patch is being sent via e-mail.
| Help with installation offered.
|
| Regards,
| AH
|