4.11 p19 on a hosted web site

[Ted Mittelstaedt]

> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org
> [mailto:owner-freebsd-questions at freebsd.org]On Behalf Of
> clubturbo at web-tricks.net
> Sent: Wednesday, July 18, 2007 2:16 PM
> To: questions at freebsd.org
> Subject: 4.11 p19 on a hosted web site
> 
> 
> Hello Everyone.
> I have a domain hosted on a vary large Visa CISP compliant host 
> in the US of 
> A.
> Right now there software is
> freebsd 4.11-release p19
> mysql 4.0
> php4
> osCommerce 2.2 ms2.
> 
> I am wondering if this is something
> i need to worry about intil thay get
> up to speed on the above said software.
> 
> I know alot has changed the above software,
> mainly the freebsd 4.11 to 6.2 jump.
> but should i give a hoot about this as for
> my online CC processing ?
> Dont know where to post this
> as it has taken me this long to ask here at all.
> 

Assuming that your server is behind a firewall that is only
allowing inbound access to the osccommerce site software,
you can basically ignore all of the security problems of the
older FreeBSD and MySQL software.  A cracker can't exploit them.

Your big concern should be the application software itself,
ie: the "freebsd 4.11-release p19" and the "osCommerce 2.2 ms2"

Presumably this isn't open source software.  As such you are
utterly dependent on the application software vendor having
written the software in a secure manner.  You should initiate
a conversation with them immediately.

VISA does require 3rd party auditing of online credit card
taking software, it's in the card services contract.  This
software vendor should have regular 3rd party security audits
being done of their code, and should make the results available
to you.  If they cannot do this then both you and they are in
violation of VISA's contracts.

If a hole exists in the application software it is completely
immaterial if the cracker can use it to get root access to your
FreeBSD server.  A cracker isn't, in fact, even going to bother
trying.  What they want to steal are the actual customer credit card
numbers themselves and all they have to do is find a hole in the
application software.  Since the application software is handling
the card numbers, a cracker doesen't need any special permissions
to get at them, if they find a hole in the application software.

The fact of the matter is you could have the very latest version
of FreeBSD and the very latest version of mysql loaded, and if the
application has a hole, a cracker will use the hole to query all
the data they want out of your mysql database - because obviously
the application has to have permission to read it's own data.

Ted