VP-ASP :: Shopping Cart Software

Shopping Cart Software Solutions for anywhere in the World

US/Canada(Toll Free): +1 888 587 2278
Europe/UK: +44 (020) 7193 9408
Australia/New Zealand: +61 3 9016 4497

VP-ASP Shopping Cart Customer Forum

Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 VPCart Forum
 Credit card fraud and hackers
 Some unexpected delay...
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

bookseller
Starting Member

24 Posts

Posted - July 12 2006 :  13:20:31  Show Profile  Reply with Quote
Hello,

I always maintain my vpasp 5.5 shop up to date in what regards the security advises of the vpasp team. However, I was suprised to notice that today's security update newsletter for July mentions a "highly critical" vulnerability which was already identified and corrected in March. Since I always apply the security patches in a timerly manner, my files were already corrected after the same instructions and the downloadable zip patch shows that shopmailpwd.asp and shop$db.asp were already corrected in March.
What is the point in sending "highly critical security updates" 4 months after the vulnerability was discovered?
Thank you for your attention and keep up the good work

dmaui
Starting Member

18 Posts

Posted - July 12 2006 :  16:59:24  Show Profile  Reply with Quote
I was also confused by this, as these updates seem to be duplicates of what we already received in the 6.08 patch. If there is something different that needs changed besides what I'd already changed in the 6.08 patch, I'd like to know.
Go to Top of Page

support
Administrator

4266 Posts

Posted - July 12 2006 :  18:32:29  Show Profile  Visit support's Homepage  Reply with Quote
Hi there,

We had released this in March but we have noticed while doing support that many people have not applied it hence the follow up advisory.

One of the many things that has changed here is our focus on security and whenever we notice a recurring problem such as this we will follow it up to ensure it is patched.

The image upload issue was the same. We sent out a follow up 4 months after the original vulnerability was discovered because too many people had not applied the patch. Unfortunately we still see this sometimes even now.

So if the patch has been applied to your site already you can ignore the advisory, if not we strongly recommend adding it.

If you do not feel comfortable adding it yourself then you can download the patch for your version from:
http://www.vpasp.com/virtprog/info/faq_security.htm

Not sure if you know but we also have a page detailing the list of fixes for all versions including YourVirtualStore and OxfordStreet.

You can view this at:
http://www.vpasp.com/helpnotes/fixes.asp

We hope you do not mind receiving these emails from us about security. We never used to send anything and this in our opinion was a serious oversight so the new system will hopefully ensure that you are protected.

Thanks,
Cam

VP-ASP Support
Go to Top of Page

bookseller
Starting Member

24 Posts

Posted - July 13 2006 :  06:52:32  Show Profile  Reply with Quote
Hello,

I understand the need to call vpasp customers to apply the security patches, but there should be a way for those who already applied your patches since the very first notice, to be aware that the security alert is just a reminder and that they are up to date. Otherwise it could lead them to spend useless time in checking and, in the end, have counterproductive side effects.
Thank you anyway for your attention.
Go to Top of Page

support
Administrator

4266 Posts

Posted - July 13 2006 :  06:58:52  Show Profile  Visit support's Homepage  Reply with Quote
As long as you keep up to date with the advisories in the fixes page and compare the dates you will be ok.

http://www.vpasp.com/helpnotes/fixes.asp

If these are kept up to date you can quickly check the advisory and the date it was entered into the fixes section and if it is an existing patch being re-released you can ignore it.

Thanks,
Cam

VP-ASP Support
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Snitz Forums 2000