I'm not sure about the others ECs, but our company had purchased EZMall 2000 from the vendor, and only a day or so after the first posting regarding security issues we had received an email regarding this posting, as well as a supposed patch from the vendor. I haven't had time to look at the patch; the site we use this for is a non-commerce site, and none of the logs are kept on the server, so there's no 'security' issues involved with our implementation. The manufacturer, however, was quite detailed with what needed to be done as far as securing a commerce site (basic permissions issues, not including patch). The patch contains two scripts which changes the following: 1. Encrypted username and password file. 2. Added a PIN (Personal ID Number) to the Admin Screen 3. Removed the admin username and password from the cfg file. 4. Renamed the password file so that it will not be able to be viewed by the general public. As I said, I haven't actually utilized the patch as of yet. The cart was more on our server for testing purposes, than anything else...there are no actual currency carts involved. What I find interesting, though, is the 'silence' from other vendors. Granted, I might have missed a posting or two, but in light of the ever-increasing number of SCs being implicated, I would have thought that I'd have noticed more. I've been lurking on the various commerce sites for a while, to see what kind of issues come up with their customers and haven't seen or heard anything regarding the security holes brought to light last week. But that could be just me. ===================================== Suzanne Shine V.Dot Net, Inc. Systems Administrator Voice: 516.234.5680 Fax: 516.348.1866 Email: suzanneat_private =====================================
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:44:18 PDT