Re: [ic] Security Problem in Interchange

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ic] Security Problem in Interchange

Subject: Re: [ic] Security Problem in Interchange
Date: Mon, 29 Mar 2004 17:12:12 +0100
From: Eros Shop <suppressed>

At 16:45 29/03/2004, you wrote:

On Mon, 29 Mar 2004 08:25:14 -0700
"Barry Treahy, Jr." <suppressed> wrote:

> Stefan Hornburg wrote:
>
> >Dear Interchange community !
> >
> >All versions of Interchange (4.8.x, 5.0.x, 5.1.x) contain a security hole
> >which allows an attacker to expose arbitrary variable contents by using
> >an URL like http://shop.example.com/cgi-bin/store/__SQLUSER__.
> >
> >All Interchange applications using the standard "missing" special page
> >from the demo catalog or a similar one are vulnerable to this attack.
> >The attacker may learn the SQL access information for your Interchange
> >application and use this information to read and manipulate sensitive
> >data.
> >
> >Attached are patches for the following Interchange versions:
> >
> >4.8.x:     Page-4.8.diff
> >
> >
> I manually applied this patch to the 4.8.6 system I have running,
> restarted IC, flushed my browser cache and still seeing the same
> results...  any thoughts?

I'll investigate this. Do you see an error message in your global
log file ?

        Racke


Is this patch supposed to deal with all __XXXXX__ catalog literals?

I'm not using SQL atm, but I've still used the patch as I was concernedabout other literals being exposed... and they were :(

So, I've patched IC 4.8.6 with the Page-4.8.diff file and I'm still able touse variants of the above URL substituting __SQLUSER__with __PGP_KEY__ and __ORDERS_TO and they reveal their contents quitehappily on the error page. eg.



Sorry, the page ABC95E31 was not found

The requested page (ABC95E31) was not found. You can<https://secure.vwe.net/cgi-bin/eros/index.html>return to browsing ourcatalog, if you wish.

Nothing appears in any of the error logs, so I'm not sure what's going onhere or if this patch makes any difference at all?


Many thanks

Mark



Eros Shop
vwe internet ltd
PO BOX 1067
SLOUGH
SL1 7YA
UK

Shop - http://www.eros-shop.co.uk
EMail - suppressed
Tel - 0870 737 3369
Fax - 0870 737 4469


_______________________________________________
interchange-users mailing list
suppressed
http://www.icdevgroup.org/mailman/listinfo/interchange-users

References:
- [ic] Security Problem in Interchange
  - From: Stefan Hornburg
- Re: [ic] Security Problem in Interchange
  - From: Barry Treahy, Jr.
- Re: [ic] Security Problem in Interchange
  - From: Stefan Hornburg

Prev by Date: Re: [ic] Security Problem in Interchange
Next by Date: Re: [ic] Security Problem in Interchange
Previous by thread: Re: [ic] Security Problem in Interchange
Next by thread: Re: [ic] Security Problem in Interchange
Index(es):
- Date
- Thread

Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.