Sent via eMail? Funny you mention that. One of the last clients we did a pen
test on was hacked just the same way. Ya a nice spoofed eMail from Symantxx
telling them to update PcAnywhexx.
I guess the point I'm trying to make is that sending updates via eMail is
not the brightest of ideas. An eMail with a link to a file, on the software
vendors page, would be much better. Also no IT person should be running
"software patches" that were eMailed to them because who knows what exactly
is being "patched."
I don't know if EZ Shopper 3.0 has their patch posted on the web so this is
not necessarily directed straight at them but third party software vendors
as a whole.
Signed,
Marc
eEye Digital Security
http://www.eEye.com
"It is the years that blind you. Searching so hard for success you lose
grasp on the basic wonders of being alive."
-chameleon
| -----Original Message-----
| From: Bugtraq List [mailto:BUGTRAQ_at_SECURITYFOCUS.COM]On Behalf Of Alex
| Heiphetz
| Sent: Monday, February 28, 2000 9:43 AM
| To: BUGTRAQ_at_SECURITYFOCUS.COM
| Subject: Re: EZ Shopper 3.0 shopping cart CGI remote command execution
|
|
| At 09:42 AM 2/27/00 +0000, suid_at_SUID.KG wrote:
| >suid_at_suid.kg - EZ Shopper 3.0 remote command execution.
|
| <...>
|
| >Workaround:
| >
| > The vendor, AHG Inc, has released a fixed version, download it from
| > their website and install the fixed version.
|
| Correction: clients are notified and patch is being sent via e-mail.
| Help with installation offered.
|
| Regards,
| AH
|
Received on Mar 01 2000
Intro
