Home page logo
/

bugtraq logo Bugtraq mailing list archives

Distributing Patches in Email (was: RE: EZ Shopper 3.0 shopping cart CGI remote command execution)
From: blake () HOMEPORT ORG (Scott Blake)
Date: Wed, 1 Mar 2000 20:37:19 -0500


As someone who works for a vendor that does distribute product updates
via email, I feel that I need to respond.  An exception the rule Marc
mentions should be non-executable, strongly signed updates.  Concerned
users can easily verify the signature manually (the software does so
automatically) to be certain of the file's provenance and integrity.
A key advantage to this approach is that the software can be fully
up-to-date without admins needing to spare cycles (or can be fully
manual, user's choice).  Furthermore, there is no need to make any
adjustments to firewalls -- the inbound mail is routed to your normal
mail server and the software retrieves it from there.  Oh, the
software I'm refering to is HackerShield.

That said, running executables received in email is never a good idea
(possibly excepting strongly signed files).

-scott

Btw, if anyone sees a flaw in our approach, I'd love to hear it.

------
Scott Blake
BindView's RAZOR Team
http://razor.bindview.com/

-----Original Message-----
From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On
Behalf Of Marc
Sent: Tuesday, February 29, 2000 9:07 PM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: Re: EZ Shopper 3.0 shopping cart CGI remote
command execution


Sent via eMail? Funny you mention that. One of the last
clients we did a pen
test on was hacked just the same way. Ya a nice spoofed
eMail from Symantxx
telling them to update PcAnywhexx.

I guess the point I'm trying to make is that sending
updates via eMail is
not the brightest of ideas. An eMail with a link to a file,
on the software
vendors page, would be much better. Also no IT person
should be running
"software patches" that were eMailed to them because who
knows what exactly
is being "patched."

I don't know if EZ Shopper 3.0 has their patch posted on
the web so this is
not necessarily directed straight at them but third party
software vendors
as a whole.

Signed,
Marc
eEye Digital Security
http://www.eEye.com

"It is the years that blind you. Searching so hard for
success you lose
grasp on the basic wonders of being alive."
-chameleon


| -----Original Message-----
| From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On
Behalf Of Alex
| Heiphetz
| Sent: Monday, February 28, 2000 9:43 AM
| To: BUGTRAQ () SECURITYFOCUS COM
| Subject: Re: EZ Shopper 3.0 shopping cart CGI remote
command execution
|
|
| At 09:42 AM 2/27/00 +0000, suid () SUID KG wrote:
| >suid () suid kg - EZ Shopper 3.0 remote command execution.
|
| <...>
|
| >Workaround:
| >
| >   The vendor, AHG Inc, has released a fixed version,
download it from
| >   their website and install the fixed version.
|
| Correction: clients are notified and patch is being sent
via e-mail.
| Help with installation offered.
|
| Regards,
| AH
|



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]