Re: Back Door in Commercial Shopping Cart [RESOLVED]

[dankamin () CISCO COM (Dan Kaminsky)]

Just to bring some closure to this, the Dansie Shopping Cart bug has been
removed--it should no longer either email him anti-piracy information nor
allow any surreptitious access.  Craig is shipping the patch in his next
update to all his customers; due to the nature of his script, all customers
need to update on a regular basis to remain functional.  So the bug should
truly be eradicated within the next few days.

This was actually taken care of on Friday, within a few hours of me
contacting a client of Dansie's(James Hart of Stormer Hosting; many thanks
to him for hearing me out and acting so quickly).  They were pretty
proactive once they understood their position.

This wasn't a malicious case, but it did illustrate just how dangerous a
lack of security knowledge can be.  I'm curious if there's something along
the lines of a "two page checklist" for the non-security oriented programmer
to look at (and be pointed to) that basically issues critical do's and
don'ts when programming anything that's network enabled.  Not something
vague(but true) like "Don't trust anything from the client"...more along the
lines of specifying MD5/SHA-1, never add a backdoor, never include
identifiable feedback, etc.

I think alot of us simply take for granted just how much there is to know in
the security realm.  One only needs to look around to realize that good
programmers can just do very bad things not out of malice or even stupidity
but just plain old lack of knowledge.  We can, and should, do something to
fix that.

Yours Truly,

    Dan Kaminsky