> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of > [EMAIL PROTECTED] > Sent: Wednesday, July 18, 2007 2:16 PM > To: [EMAIL PROTECTED] > Subject: 4.11 p19 on a hosted web site > > > Hello Everyone. > I have a domain hosted on a vary large Visa CISP compliant host > in the US of > A. > Right now there software is > freebsd 4.11-release p19 > mysql 4.0 > php4 > osCommerce 2.2 ms2. > > I am wondering if this is something > i need to worry about intil thay get > up to speed on the above said software. > > I know alot has changed the above software, > mainly the freebsd 4.11 to 6.2 jump. > but should i give a hoot about this as for > my online CC processing ? > Dont know where to post this > as it has taken me this long to ask here at all. >
Assuming that your server is behind a firewall that is only allowing inbound access to the osccommerce site software, you can basically ignore all of the security problems of the older FreeBSD and MySQL software. A cracker can't exploit them. Your big concern should be the application software itself, ie: the "freebsd 4.11-release p19" and the "osCommerce 2.2 ms2" Presumably this isn't open source software. As such you are utterly dependent on the application software vendor having written the software in a secure manner. You should initiate a conversation with them immediately. VISA does require 3rd party auditing of online credit card taking software, it's in the card services contract. This software vendor should have regular 3rd party security audits being done of their code, and should make the results available to you. If they cannot do this then both you and they are in violation of VISA's contracts. If a hole exists in the application software it is completely immaterial if the cracker can use it to get root access to your FreeBSD server. A cracker isn't, in fact, even going to bother trying. What they want to steal are the actual customer credit card numbers themselves and all they have to do is find a hole in the application software. Since the application software is handling the card numbers, a cracker doesen't need any special permissions to get at them, if they find a hole in the application software. The fact of the matter is you could have the very latest version of FreeBSD and the very latest version of mysql loaded, and if the application has a hole, a cracker will use the hole to query all the data they want out of your mysql database - because obviously the application has to have permission to read it's own data. Ted _______________________________________________ firstname.lastname@example.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"