lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20040218172732.6122.qmail@www.securityfocus.com>
Date: 18 Feb 2004 17:27:32 -0000
From: Massimo Arrigoni <info@...lyimpact.com>
To: bugtraq@...urityfocus.com
Subject: Re: EarlyImpact ProductCart shopping cart software multiple
    security vulnerabilities


In-Reply-To: <40331EF8.6000700@...uadra.com>

Regarding: S-Quadra Advisory #2004-02-16
http://www.securityfocus.com/archive/1/354288/2004-02-15/2004-02-21/0

S-Quadra was given specific information about available fixes and other comments related to the alleged security vulnerabilities. Yet they decided not to post any of them. This behavior seems highly unprofessional.

The following is Early Impact's official response to the alleged vulnerabilities concerning the company's ProductCart ecommerce software.


-- Vulnerability 1: Incorrect use of cryptography

Early Impact official response: Vulnerability 1 cannot be exploited since vulnerability 2 and 3 have been addressed. Nevertheless, Early Impact is further investigating the issue and will look at alternative uses of cryptography for future versions of ProductCart.


-- Vulnerability 2: SQL Injection vulnerability

Early Impact official response: Vulnerability 2 was addressed with the Security Patch released on 01.30.2004, which is available for download at no charge from http://www.earlyimpact.com/productcart/support/ - This vulnerability does not apply to ProductCart v2.53 and above. All users of ProductCart v2.52 and below were notified of this security issue and of the availability of the corresponding Security Patch upon its release. 


-- Vulnerability 3: Cross Site Scripting vulnerability in 'Custva.asp'

Early Impact official response: Vulnerability 3 was addressed with the Security Patch released on 01.30.2004, which is available for download at no charge from http://www.earlyimpact.com/productcart/support/ - This vulnerability does not apply to ProductCart v2.53 and above. All users of ProductCart v2.52 and below were notified of this security issue and of the availability of the corresponding Security Patch upon its release. 

If you need additional information, please contact Early Impact at info@...lyimpact.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ