Bugtraq mailing list archives
Distributing Patches in Email (was: RE: EZ Shopper 3.0 shopping cart CGI remote command execution)
From: blake () HOMEPORT ORG (Scott Blake)
Date: Wed, 1 Mar 2000 20:37:19 -0500
As someone who works for a vendor that does distribute product updates via email, I feel that I need to respond. An exception the rule Marc mentions should be non-executable, strongly signed updates. Concerned users can easily verify the signature manually (the software does so automatically) to be certain of the file's provenance and integrity. A key advantage to this approach is that the software can be fully up-to-date without admins needing to spare cycles (or can be fully manual, user's choice). Furthermore, there is no need to make any adjustments to firewalls -- the inbound mail is routed to your normal mail server and the software retrieves it from there. Oh, the software I'm refering to is HackerShield. That said, running executables received in email is never a good idea (possibly excepting strongly signed files). -scott Btw, if anyone sees a flaw in our approach, I'd love to hear it. ------ Scott Blake BindView's RAZOR Team http://razor.bindview.com/
-----Original Message----- From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of Marc Sent: Tuesday, February 29, 2000 9:07 PM To: BUGTRAQ () SECURITYFOCUS COM Subject: Re: EZ Shopper 3.0 shopping cart CGI remote command execution Sent via eMail? Funny you mention that. One of the last clients we did a pen test on was hacked just the same way. Ya a nice spoofed eMail from Symantxx telling them to update PcAnywhexx. I guess the point I'm trying to make is that sending updates via eMail is not the brightest of ideas. An eMail with a link to a file, on the software vendors page, would be much better. Also no IT person should be running "software patches" that were eMailed to them because who knows what exactly is being "patched." I don't know if EZ Shopper 3.0 has their patch posted on the web so this is not necessarily directed straight at them but third party software vendors as a whole. Signed, Marc eEye Digital Security http://www.eEye.com "It is the years that blind you. Searching so hard for success you lose grasp on the basic wonders of being alive." -chameleon | -----Original Message----- | From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of Alex | Heiphetz | Sent: Monday, February 28, 2000 9:43 AM | To: BUGTRAQ () SECURITYFOCUS COM | Subject: Re: EZ Shopper 3.0 shopping cart CGI remote command execution | | | At 09:42 AM 2/27/00 +0000, suid () SUID KG wrote: | >suid () suid kg - EZ Shopper 3.0 remote command execution. | | <...> | | >Workaround: | > | > The vendor, AHG Inc, has released a fixed version, download it from | > their website and install the fixed version. | | Correction: clients are notified and patch is being sent via e-mail. | Help with installation offered. | | Regards, | AH |
Current thread:
- Re: EZ Shopper 3.0 shopping cart CGI remote command execution Marc (Feb 29)
- Distributing Patches in Email (was: RE: EZ Shopper 3.0 shopping cart CGI remote command execution) Scott Blake (Mar 01)
- Re: Distributing Patches in Email Dirk Nimmich (Mar 03)
- NT Roaming Profiles blocked by NAV 7.x for Corp. Edition Peter Heath (Mar 03)
- Oracle installer problem Keyser Soze (Mar 05)
- Roses Labs BisonWare FTP Advisory Conde Vampiro (Mar 05)
- Distributing Patches in Email (was: RE: EZ Shopper 3.0 shopping cart CGI remote command execution) Scott Blake (Mar 01)