Miva, Miva Script, Miva Empresa, Miva Mia amd Miva Merchant are registered trademarks of the Miva Corporation 		 
Ivo Truxa - truXoft control systems: advanced programming and custom IT solutions home / about / webdesign / Miva / automation / contact

http://mivo.truxoft.com
MIVO!
miva beyond limits
invert colors ] 
M I V O ! 
ABOUT 
WHAT'S NEW 
SECURITY 
RESOURCES 
MERCHANT 
HOSTING 
disclaimer 
  

MIVA®  SECURITY: Open Letter to Miva Corporation

by Ivo Truxa, 03/11/2000

As a reaction to some security issues and their unsatisfactory handling by Miva Corporation, today I have sent the following letter to Joe Austin, CEO with CC to Jeff Huber, Support Manager of Miva Corporation:

Joe,

To tell the real, I am disappointed with Miva's approach to the last security issues and with the slowness you handled them. That's why I blackmailed you in my last e-mail. In fact there were no media involved and in future I would not use this way neither. I would rather push the issue through CERT or other respective authorities in the improbable case that Miva Co. does not want to cooperate rapidly and correctly.

Even if the popularity I gain through the security discussions is welcomed effect, it became secondary when I realized all consequences of mentioned security flaws.

I prepared several new security articles. I will ALWAYS let them read you first - for the right of VETA, the possibility to ask me for corrections of some statements and for having time for fixes before I publish the article.

However I will NOT let you the total freedom as in the last case. I saw that you abused my confidence and did not handle the issue properly. Only few hosts were informed and NO statement was published before users begun to shout. There is still no schedule for mass mailings and reporting the CGI-BIN-Form vulnerability issue to CERT.

There will be another article on my site about the security flaws in Miva prior 3.63. I believe that according to US laws you are obliged to offer FREE fixes or updates for ALL concerned Miva versions. Miva owners and users must be notified with mass mailings too. The issue must be reported to CERT. I would like that you send me schedule for these tasks asap. I will take care that it really happens.

There will be a series of articles about security holes in the standard Miva templates. The templates must be immediately removed from the install kit and again - mass mails to Miva owners and users and report to CERT must follow rapidly. Please send a schedule for this issue as well. I checked the templates only very briefly and during few seconds discovered serious glitches in dissectsite.mv and in analyzelinks.mv. As soon as I find time, I look on the templates closely.

I discovered other serious security problems in Miva products and I hope that you will manage to find and fix them before I find time to analyze and report them properly. I request that any found security problem would be correctly documented, fixed and published and that FREE patches or updates will be ALWAYS offered to ALL owners.

I am sorry for this hard tone, but I firmly believe that what I request is in your interest too. Only transparent communication with your customers can help you to gain their confidence. I will publish this letter to you on my site and if you do not block me, to the miva-users list too.

Please have a look on my last article at http://xxxxxxxxxxxx (removed). I will publish it on Monday evening (GMT). In the same time I will publish this letter http://xxxxxxxxxxxx (removed).

Best Regards,
Ivo


top
   

Miva and some other terms used on this page are registerd trademarks of the Miva Corporation
copyright  truXoft  © 1997-2012