WilHatfield
Admin
Admin
| Posts: 17 |  |
Karma: 0
|
MIVA Merchant 5 Vulnerability Fixed - 2005/09/14 02:29
On 09/05/2005 HyperConX finished vulnerability checking the new MIVA Merchant 5 software. (Yes we work on Labor Day). A somewhat serious vulnerability was found and was reported to MIVA Corporation within the hour. Even with the MIVA Conference just a couple days away they quickly began working on a fix for the problem. Special thanks to James Harrell and Jimmy Cooper for making themselves available to us even on a holiday.
Reference: http://www.securityfocus.com/bid/14828
Rest assured even while MIVA was working on this fix we did implement safeguards server-wide on all machines to protect you from the possible attack. Some may have noticed this protection in effect others may not have. Discretion is often the best defense in such matters so we kept the vulnerability under wraps until a fix could be put together by MIVA.
MIVA has released a security update which should now be available via the update wizard when you login to your MIVA Merchant Admin panel. It is HIGHLY recommended that you allow the update wizard to run the updates on your store's software. This will fix the vulnerability that our audits discovered. The update that is required is entitled (core-4). If you have not ran the update wizard you will need to allow it to install the previous interface patches first, namely (core-2) and then allow it to run the critical (core-4) update. Once the upgrade wizard reports that there are no more updates available then your store will be secured.
For good measure run through your store pages checking any custom templating which you may have added using the Store Morph Technology. The update wizard does make some minor changes to the pages code. If a new page is seen entitled 'modified by update "core-2"' or 'modified by update "core-4"' then a change has been made by the update wizard. Carry over any changes from your custom templates to the new page and click update. We are not aware of anything critical in this step and it is added strictly as a good measure.
Custom design or extended support customers may notice that there are no updates available for their store. This would be because we already make the critical updates for you.
And for all customers we will continue to work hard to insure your safe and secure e-commerce. I should add that it is with pride that we can call MIVA Corporation a partner and we thank them for their expedited and extremely fast turn around on this bug fix. Thanks guys.[/url]
|
