mailing list archives
Re: EZ Shopper 3.0 shopping cart CGI remote command execution
From: marc () EEYE COM (Marc)
Date: Tue, 29 Feb 2000 18:07:23 -0800
Sent via eMail? Funny you mention that. One of the last clients we did a pen
test on was hacked just the same way. Ya a nice spoofed eMail from Symantxx
telling them to update PcAnywhexx.
I guess the point I'm trying to make is that sending updates via eMail is
not the brightest of ideas. An eMail with a link to a file, on the software
vendors page, would be much better. Also no IT person should be running
"software patches" that were eMailed to them because who knows what exactly
is being "patched."
I don't know if EZ Shopper 3.0 has their patch posted on the web so this is
not necessarily directed straight at them but third party software vendors
as a whole.
eEye Digital Security
"It is the years that blind you. Searching so hard for success you lose
grasp on the basic wonders of being alive."
| -----Original Message-----
| From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of Alex
| Sent: Monday, February 28, 2000 9:43 AM
| To: BUGTRAQ () SECURITYFOCUS COM
| Subject: Re: EZ Shopper 3.0 shopping cart CGI remote command execution
| At 09:42 AM 2/27/00 +0000, suid () SUID KG wrote:
| >suid () suid kg - EZ Shopper 3.0 remote command execution.
| > The vendor, AHG Inc, has released a fixed version, download it from
| > their website and install the fixed version.
| Correction: clients are notified and patch is being sent via e-mail.
| Help with installation offered.
- Re: EZ Shopper 3.0 shopping cart CGI remote command execution Marc (Mar 01)