Re: Vulernability in /cgi-bin/shopper.exe?

[David Kennedy CISSP <david.kennedy () acm org>]

-----BEGIN PGP SIGNED MESSAGE-----

At 12:38 PM 7/26/01 -0700, Michael Katz wrote:
> I have been unable to find any specific vulnerabilities with
> shopper.exe.  
>
> I believe that there are either new unpubished vulnerabilities in
> the shopper.exe executable or attackers are looking to exploit the
> existing vulnerabilities listed above.  
>
> If you have PDGSoft's Shopping Cart package, be warned.

http://www.nipc.gov/warnings/advisories/2001/01-007.htm

ADVISORY 01-007

"PDG Shopping Cart Software" Vulnerability Affecting E-Commerce
Issued
04/06/2001

Downloading the W32 version of the patch, a new version of
shopper.exe is in the archive.

To give a little credit where credit is due, AFAIK this was the only
time NIPC issued an advisory before a problem was common knowledge by
anyone not living in a cave.  To what extent there were already
victims of the problem is something we'll probably never know. I do
wonder if it had anything to do with their investigation that yielded
one of their "DOH" advisories:
http://www.nipc.gov/warnings/advisories/2001/01-003.htm


-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: hacker=cybercriminal the definition has changed; get over it

iQCVAwUBO2EYe/GfiIQsciJtAQHUAgQAxiNOcW5vdLNMO9Lp7Tmd0Ngt9SRuP94c
2qWhKavXOUgIj5e3stfIHqtnguuyVn3qoB4AeKDNGWoz1pok2vjcozNl8C0ToFZW
fPnkvyymqGW9Vga44dqeR6Cu3opblHuQ74mFubNtlPFseju0erj1CcDDwyE6Hkm9
PNpAV/WVAls=
=KEDL
-----END PGP SIGNATURE-----

-- 
Regards,

David Kennedy CISSP
Director of Research Services, TruSecure Corp. http://www.trusecure.com
Protect what you connect.
Look both ways before crossing the Net.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com