|
IBM Net.Commerce Remote Arbitrary Command Execution Vulnerability
Solution: You must upgrade to a non-vulnerable version or at the very least upgrade to Net.Commerce version 3.2, which fixes the Administrator macros, while also removing the sample macros. To remove sample macros: * Locate the db2www.ini in the HTML document root for each instance. * Review each ini file's MACRO_PATH to ensure that all macros are required by production and are not samples. * Remove the directories that are not required for production. The following directories contain sample code that should be removed from production systems. If you require a sample macro for your production systems you will need to modify it to validate its inputs. Note: According to IBM this bug is solved or at least there is a workaround for the problem. For more info please read http://www-4.ibm.com/software/webservers/commerce/netcomletter.html (information supplied by John Renne <john_renne@hotmail.com>) Websphere Commerce Suite and Market Place Edition Version 4.1/4.1.1: SUN Solaris /opt/WebSphere/CommerceSuite/macro/en_US/base /opt/WebSphere/CommerceSuite/macro/en_US/bus2bus /opt/WebSphere/CommerceSuite/macro/en_US/category /opt/WebSphere/CommerceSuite/macro/en_US/demomall /opt/WebSphere/CommerceSuite/macro/en_US/euromall /opt/WebSphere/CommerceSuite/macro/en_US/grocery /opt/WebSphere/CommerceSuite/macro/en_US/product /opt/WebSphere/CommerceSuite/macro/en_US/tutorial /opt/WebSphere/CommerceSuite/models IBM AIX /usr/lpp/CommerceSuite/macro/en_US/base /usr/lpp/CommerceSuite/macro/en_US/bus2bus /usr/lpp/CommerceSuite/macro/en_US/category /usr/lpp/CommerceSuite/macro/en_US/demomall /usr/lpp/CommerceSuite/macro/en_US/euromall /usr/lpp/CommerceSuite/macro/en_US/grocery /usr/lpp/CommerceSuite/macro/en_US/product /usr/lpp/CommerceSuite/macro/en_US/tutorial /usr/lpp/CommerceSuite/models Windows NT IBM\CommerceSuite\macro\en_US\base IBM\CommerceSuite\macro\en_US\bus2bus IBM\CommerceSuite\macro\en_US\category IBM\CommerceSuite\macro\en_US\demomall IBM\CommerceSuite\macro\en_US\euromall IBM\CommerceSuite\macro\en_US\grocery IBM\CommerceSuite\macro\en_US\product IBM\CommerceSuite\macro\en_US\ncsample IBM\CommerceSuite\macro\en_US\tutorial IBM\CommerceSuite\models IBM\CommerceSuite\instance\<instancename>\teditor Net.Commerce/Service Provider Edition Version 3.2 SUN Solaris /opt/IBMnetc/NetCommerce3/macro/en_US/bus2bus /opt/IBMnetc/NetCommerce3/macro/en_US/category /opt/IBMnetc/NetCommerce3/macro/en_US/demomall /opt/IBMnetc/NetCommerce3/macro/en_US/euromall /opt/IBMnetc/NetCommerce3/macro/en_US/grocery /opt/IBMnetc/NetCommerce3/macro/en_US/ncsample /opt/IBMnetc/NetCommerce3/macro/en_US/product /opt/IBMnetc/NetCommerce3/macro/en_US/tutorial IBM AIX /usr/lpp/NetCommerce3/macro/en_US/bus2bus /usr/lpp/NetCommerce3/macro/en_US/category /usr/lpp/NetCommerce3/macro/en_US/demomall /usr/lpp/NetCommerce3/macro/en_US/euromall /usr/lpp/NetCommerce3/macro/en_US/grocery /usr/lpp/NetCommerce3/macro/en_US/ncsample /usr/lpp/NetCommerce3/macro/en_US/product /usr/lpp/NetCommerce3/macro/en_US/tutorial Windows NT IBM\NetCommerce3\macro\en_US\bus2bus IBM\NetCommerce3\macro\en_US\category IBM\NetCommerce3\macro\en_US\demomall IBM\NetCommerce3\macro\en_US\euromall IBM\NetCommerce3\macro\en_US\grocery IBM\NetCommerce3\macro\en_US\ncsample IBM\NetCommerce3\macro\en_US\product IBM\NetCommerce3\macro\en_US\tutorial |
|
|
Privacy Statement |
