| Not as vintage as this, but back in '10, I, along with a couple of other freelancers that I'd worked with in the past got asked to work in a <legacy clothing manufacturer> in a big, old mill in Yorkshire. We were immediately isolated from the modern-ish IT department and placed in a room at the end of the mill that contained a couple of dozen vacuum drive tape machines. So loud that they silenced the room when they were warming up. Our task was to "check for security problems" in their ecommerce platform because there was some serious financial motivation from the men upstairs. Their 'platform' was a decade-ish old install of osCommerce that had been hacked to death to make it support multi-side and multi language, together with some customisations to it's templating engine to provide asset reuse across sites. It was immediately apparent that all the SQL injection and most other vulnerabilities present years ago in that old version of OSc were still there. They were alongside the many, many vulns that were introduced with the hacks. Oh, and most of the hacks were done by a mixture of programmers on the continent, so variable names and comments were easy to understand. They didn't want to even consider upgrading, just patch it up and get outta there. Out of professionalism it was necessary to document the many times management passed on our recommendations to fix issues we found. Looking through that file, most of those issues seem to be present even today. |