[Date Prev][Date Next][Thread Prev][Thread Next][Minivend by date
][Minivend by thread
]
[mv] Openhack story...http://www.zdnet.com/eweek/stories/general/0,11011,2606344,00.html
****** message to minivend-users from "birgitt" <birgitt@cais.com> ******
Do I understand it correctly that the patch provided on July 12th on Akopia's site
closes _all_ three vulnerabilties Mr. Mora has found ?
I add a quote from this article on July 24th
http://www.zdnet.com/eweek/stories/general/0,11011,2606344,00.html
<quote>
The hack into Openhack's Oracle8i database server was performed by Spanish security
consultant Lluis Mora, who also felled eWeek Labs' previous security test site. Mora's attack
was methodical and highly sophisticated. It took him a total of 40 hours to find three
vulnerabilities in Akopia Inc.'s MiniVend storefront package, which provided the pathway
into the internal site network, and one in an optional component of Sun Microsystems Inc.'s
Solaris 8 operating environment.
</quote>
The security advisory on Akopia's site, mentions one vulnerabiltiy found by Alexancer
Lazic, not by ones found by Luis Mora.
The patch for the hole Mr. Lazic found has been released officially July 12th on Akopia's site.
The first time it was mentioned on this list by Alexander Lazic, was July 3rd.
http://www.minivend.com/minivend/minivend-list/2000/msg05179.html
Mike Heins has put up a patch on this list July 5th.
http://www.minivend.com/minivend/minivend-list/2000/msg05223.html
So, are the vulnerabilties mentioned in the article from July 24th now additional
Minivend vulnerabilties ?
In the article from July 17th
http://www.zdnet.com/eweek/stories/general/0,11011,2604052,00.html
it was said that Mr. Mora used the same template Alexander Lazic used
to crack the site, but used it differently, as the site meanwhile was patched.
The difference in the dates for releasing the patch by Akopia and the time frame the
article from July 18th
http://www.zdnet.com/eweek/stories/general/0,11011,2604981,00.html
mentions for Mr. Mora's 40 hour dissection ot the test site leads to the conclusion
that the patch provided by Akpoia doesn't cover the vulnerabilties found by Mr. Mora..
In the article from July 17th
http://www.zdnet.com/eweek/stories/general/0,11011,2604052,00.html
it was said that Mr. Mora used the same template Alexander Lazic used
to crack the site, but used it differently, as the site meanwhile was patched.
I understand that for security reason nothing more specific about the security
vulnerabilties can be said, but it should be made clear, if the vulnerabilties mentioned
in the article from July 24th are new ones or not and if they are already covered by
the patch released July 12th.
If that is a wrong conclusion it should be clarified, because it is misleading.
If the conclusion is right, it should be mentioned on this list and said that someone
is working on it to fix it, IMHO.
Birgitt Funk
-
To unsubscribe from the list, DO NOT REPLY to this message. Instead, send
email with 'UNSUBSCRIBE minivend-users' in the body to Majordomo@minivend.com.
Archive of past messages: http://www.minivend.com/minivend/minivend-list