Bugtraq mailing list archives
Re: EZ Shopper 3.0 shopping cart CGI remote command execution
From: marc () EEYE COM (Marc)
Date: Tue, 29 Feb 2000 18:07:23 -0800
Sent via eMail? Funny you mention that. One of the last clients we did a pen test on was hacked just the same way. Ya a nice spoofed eMail from Symantxx telling them to update PcAnywhexx. I guess the point I'm trying to make is that sending updates via eMail is not the brightest of ideas. An eMail with a link to a file, on the software vendors page, would be much better. Also no IT person should be running "software patches" that were eMailed to them because who knows what exactly is being "patched." I don't know if EZ Shopper 3.0 has their patch posted on the web so this is not necessarily directed straight at them but third party software vendors as a whole. Signed, Marc eEye Digital Security http://www.eEye.com "It is the years that blind you. Searching so hard for success you lose grasp on the basic wonders of being alive." -chameleon | -----Original Message----- | From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of Alex | Heiphetz | Sent: Monday, February 28, 2000 9:43 AM | To: BUGTRAQ () SECURITYFOCUS COM | Subject: Re: EZ Shopper 3.0 shopping cart CGI remote command execution | | | At 09:42 AM 2/27/00 +0000, suid () SUID KG wrote: | >suid () suid kg - EZ Shopper 3.0 remote command execution. | | <...> | | >Workaround: | > | > The vendor, AHG Inc, has released a fixed version, download it from | > their website and install the fixed version. | | Correction: clients are notified and patch is being sent via e-mail. | Help with installation offered. | | Regards, | AH |
Current thread:
- Re: EZ Shopper 3.0 shopping cart CGI remote command execution Marc (Feb 29)
- Distributing Patches in Email (was: RE: EZ Shopper 3.0 shopping cart CGI remote command execution) Scott Blake (Mar 01)
- Re: Distributing Patches in Email Dirk Nimmich (Mar 03)
- NT Roaming Profiles blocked by NAV 7.x for Corp. Edition Peter Heath (Mar 03)
- Oracle installer problem Keyser Soze (Mar 05)
- Roses Labs BisonWare FTP Advisory Conde Vampiro (Mar 05)
- Distributing Patches in Email (was: RE: EZ Shopper 3.0 shopping cart CGI remote command execution) Scott Blake (Mar 01)