[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: EC app security
From:       Suzanne Shine <suzanne () VDOT ! NET>
Date:       1999-04-28 20:29:03
[Download RAW message or body]

I'm not sure about the others ECs, but our company had purchased EZMall
2000 from the vendor, and only a day or so after the first posting
regarding security issues we had received an email regarding this posting,
as well as a supposed patch from the vendor.

I haven't had time to look at the patch; the site we use this for is a
non-commerce site, and none of the logs are kept on the server, so there's
no 'security' issues involved with our implementation. The manufacturer,
however, was quite detailed with what needed to be done as far as securing
a commerce site (basic permissions issues, not including patch). The patch
contains two scripts which changes the following:

1. Encrypted username and password file.
2. Added a PIN (Personal ID Number) to the Admin Screen
3. Removed the admin username and password from the cfg file.
4. Renamed the password file so that it will not be able to be
   viewed by the general public.

As I said, I haven't actually utilized the patch as of yet. The cart was
more on our server for testing purposes, than anything else...there are no
actual currency carts involved.

What I find interesting, though, is the 'silence' from other vendors.
Granted, I might have missed a posting or two, but in light of the
ever-increasing number of SCs being implicated, I would have thought that
I'd have noticed more. I've been lurking on the various commerce sites for
a while, to see what kind of issues come up with their customers
and haven't seen or heard anything regarding the security holes brought to
light last week. But that could be just me.



=====================================
Suzanne Shine
V.Dot Net, Inc. Systems Administrator
Voice: 516.234.5680
Fax: 516.348.1866
Email: suzanne@vdot.net
=====================================

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic