From owner-freebsd-questions@FreeBSD.ORG Sat Jul 21 07:31:53 2007 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6B53816A417 for ; Sat, 21 Jul 2007 07:31:53 +0000 (UTC) (envelope-from tedm@toybox.placo.com) Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [65.75.192.90]) by mx1.freebsd.org (Postfix) with ESMTP id 1699513C442 for ; Sat, 21 Jul 2007 07:31:52 +0000 (UTC) (envelope-from tedm@toybox.placo.com) Received: from TEDSDESK (nat-rtr.freebsd-corp-net-guide.com [65.75.197.130]) by mail.freebsd-corp-net-guide.com (8.13.8/8.13.8) with SMTP id l6L7VoOR064370; Sat, 21 Jul 2007 00:31:52 -0700 (PDT) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: , Date: Sat, 21 Jul 2007 00:32:59 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1896 In-Reply-To: <001f01c7c980$c76fd3a0$dedca8c0@dragon> Importance: Normal X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (mail.freebsd-corp-net-guide.com [65.75.192.90]); Sat, 21 Jul 2007 00:31:52 -0700 (PDT) Cc: Subject: RE: 4.11 p19 on a hosted web site X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jul 2007 07:31:53 -0000 > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of > clubturbo@web-tricks.net > Sent: Wednesday, July 18, 2007 2:16 PM > To: questions@freebsd.org > Subject: 4.11 p19 on a hosted web site > > > Hello Everyone. > I have a domain hosted on a vary large Visa CISP compliant host > in the US of > A. > Right now there software is > freebsd 4.11-release p19 > mysql 4.0 > php4 > osCommerce 2.2 ms2. > > I am wondering if this is something > i need to worry about intil thay get > up to speed on the above said software. > > I know alot has changed the above software, > mainly the freebsd 4.11 to 6.2 jump. > but should i give a hoot about this as for > my online CC processing ? > Dont know where to post this > as it has taken me this long to ask here at all. > Assuming that your server is behind a firewall that is only allowing inbound access to the osccommerce site software, you can basically ignore all of the security problems of the older FreeBSD and MySQL software. A cracker can't exploit them. Your big concern should be the application software itself, ie: the "freebsd 4.11-release p19" and the "osCommerce 2.2 ms2" Presumably this isn't open source software. As such you are utterly dependent on the application software vendor having written the software in a secure manner. You should initiate a conversation with them immediately. VISA does require 3rd party auditing of online credit card taking software, it's in the card services contract. This software vendor should have regular 3rd party security audits being done of their code, and should make the results available to you. If they cannot do this then both you and they are in violation of VISA's contracts. If a hole exists in the application software it is completely immaterial if the cracker can use it to get root access to your FreeBSD server. A cracker isn't, in fact, even going to bother trying. What they want to steal are the actual customer credit card numbers themselves and all they have to do is find a hole in the application software. Since the application software is handling the card numbers, a cracker doesen't need any special permissions to get at them, if they find a hole in the application software. The fact of the matter is you could have the very latest version of FreeBSD and the very latest version of mysql loaded, and if the application has a hole, a cracker will use the hole to query all the data they want out of your mysql database - because obviously the application has to have permission to read it's own data. Ted