| Author |
 Topic  |
|
|
bookseller
Starting Member
24 Posts |
 Posted - July 12 2006 : 13:20:31
|
Hello,
I always maintain my vpasp 5.5 shop up to date in what regards the security advises of the vpasp team. However, I was suprised to notice that today's security update newsletter for July mentions a "highly critical" vulnerability which was already identified and corrected in March. Since I always apply the security patches in a timerly manner, my files were already corrected after the same instructions and the downloadable zip patch shows that shopmailpwd.asp and shop$db.asp were already corrected in March.
What is the point in sending "highly critical security updates" 4 months after the vulnerability was discovered?
Thank you for your attention and keep up the good work |
|
|
dmaui
Starting Member
18 Posts |
Posted - July 12 2006 : 16:59:24
|
| I was also confused by this, as these updates seem to be duplicates of what we already received in the 6.08 patch. If there is something different that needs changed besides what I'd already changed in the 6.08 patch, I'd like to know. |
 |
|
|
support
Administrator
4679 Posts |
Posted - July 12 2006 : 18:32:29
|
Hi there,
We had released this in March but we have noticed while doing support that many people have not applied it hence the follow up advisory.
One of the many things that has changed here is our focus on security and whenever we notice a recurring problem such as this we will follow it up to ensure it is patched.
The image upload issue was the same. We sent out a follow up 4 months after the original vulnerability was discovered because too many people had not applied the patch. Unfortunately we still see this sometimes even now.
So if the patch has been applied to your site already you can ignore the advisory, if not we strongly recommend adding it.
If you do not feel comfortable adding it yourself then you can download the patch for your version from:
http://www.vpasp.com/virtprog/info/faq_security.htm
Not sure if you know but we also have a page detailing the list of fixes for all versions including YourVirtualStore and OxfordStreet.
You can view this at:
http://www.vpasp.com/helpnotes/fixes.asp
We hope you do not mind receiving these emails from us about security. We never used to send anything and this in our opinion was a serious oversight so the new system will hopefully ensure that you are protected.
Thanks,
Cam
VP-ASP Support |
|
|
|
bookseller
Starting Member
24 Posts |
Posted - July 13 2006 : 06:52:32
|
Hello,
I understand the need to call vpasp customers to apply the security patches, but there should be a way for those who already applied your patches since the very first notice, to be aware that the security alert is just a reminder and that they are up to date. Otherwise it could lead them to spend useless time in checking and, in the end, have counterproductive side effects.
Thank you anyway for your attention.
|
|
|
|
support
Administrator
4679 Posts |
Posted - July 13 2006 : 06:58:52
|
As long as you keep up to date with the advisories in the fixes page and compare the dates you will be ok.
http://www.vpasp.com/helpnotes/fixes.asp
If these are kept up to date you can quickly check the advisory and the date it was entered into the fixes section and if it is an existing patch being re-released you can ignore it.
Thanks,
Cam
VP-ASP Support |
|
|
| |
Topic |
|
All Forums
Some unexpected delay...
New Topic
Printer Friendly
TrustGuard - PCI Security Scanner
