Sent via eMail? Funny you mention that. One of the last clients we did a pen test on was hacked just the same way. Ya a nice spoofed eMail from Symantxx telling them to update PcAnywhexx. I guess the point I'm trying to make is that sending updates via eMail is not the brightest of ideas. An eMail with a link to a file, on the software vendors page, would be much better. Also no IT person should be running "software patches" that were eMailed to them because who knows what exactly is being "patched." I don't know if EZ Shopper 3.0 has their patch posted on the web so this is not necessarily directed straight at them but third party software vendors as a whole. Signed, Marc eEye Digital Security http://www.eEye.com "It is the years that blind you. Searching so hard for success you lose grasp on the basic wonders of being alive." -chameleon | -----Original Message----- | From: Bugtraq List [mailto:BUGTRAQat_private]On Behalf Of Alex | Heiphetz | Sent: Monday, February 28, 2000 9:43 AM | To: BUGTRAQat_private | Subject: Re: EZ Shopper 3.0 shopping cart CGI remote command execution | | | At 09:42 AM 2/27/00 +0000, suidat_private wrote: | >suidat_private - EZ Shopper 3.0 remote command execution. | | <...> | | >Workaround: | > | > The vendor, AHG Inc, has released a fixed version, download it from | > their website and install the fixed version. | | Correction: clients are notified and patch is being sent via e-mail. | Help with installation offered. | | Regards, | AH |
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:38:30 PDT