Home page logo

bugtraq logo Bugtraq mailing list archives

Re: EZ Shopper 3.0 shopping cart CGI remote command execution
From: marc () EEYE COM (Marc)
Date: Tue, 29 Feb 2000 18:07:23 -0800

Sent via eMail? Funny you mention that. One of the last clients we did a pen
test on was hacked just the same way. Ya a nice spoofed eMail from Symantxx
telling them to update PcAnywhexx.

I guess the point I'm trying to make is that sending updates via eMail is
not the brightest of ideas. An eMail with a link to a file, on the software
vendors page, would be much better. Also no IT person should be running
"software patches" that were eMailed to them because who knows what exactly
is being "patched."

I don't know if EZ Shopper 3.0 has their patch posted on the web so this is
not necessarily directed straight at them but third party software vendors
as a whole.

eEye Digital Security

"It is the years that blind you. Searching so hard for success you lose
grasp on the basic wonders of being alive."

| -----Original Message-----
| From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of Alex
| Heiphetz
| Sent: Monday, February 28, 2000 9:43 AM
| Subject: Re: EZ Shopper 3.0 shopping cart CGI remote command execution
| At 09:42 AM 2/27/00 +0000, suid () SUID KG wrote:
| >suid () suid kg - EZ Shopper 3.0 remote command execution.
| <...>
| >Workaround:
| >
| >     The vendor, AHG Inc, has released a fixed version, download it from
| >     their website and install the fixed version.
| Correction: clients are notified and patch is being sent via e-mail.
| Help with installation offered.
| Regards,
| AH

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]