[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ic] Security Problem in Interchange

Stefan Hornburg wrote:


On Mon, 29 Mar 2004 08:25:14 -0700
"Barry Treahy, Jr." <suppressed> wrote:

Stefan Hornburg wrote:

Dear Interchange community !

All versions of Interchange (4.8.x, 5.0.x, 5.1.x) contain a security hole
which allows an attacker to expose arbitrary variable contents by using
an URL like http://shop.example.com/cgi-bin/store/__SQLUSER__. 
All Interchange applications using the standard "missing" special page

from the demo catalog or a similar one are vulnerable to this attack.

The attacker may learn the SQL access information for your Interchange
application and use this information to read and manipulate sensitive
data. 
Attached are patches for the following Interchange versions:

4.8.x:     Page-4.8.diff
I manually applied this patch to the 4.8.6 system I have running, restarted IC, flushed my browser cache and still seeing the same results... any thoughts? 

You can use the attached update patch. It works on my 4.8 system, but
no guarantees whatsoever ...

Any test reports are welcome.
I tried the patch first, being lazy, and it didn't work (the reject file is below). I then tried manually applying the patch and still not proper results... Looking at the page presented, I leave info tags and I'm at this page: 

<!-- Currently at ../special_pages/missing, Country: US -->

Barry




suppressed Vend]# cat  Page.pm.rej
***************
*** 60,66 ****
"Security violation -- scripting character in page name '%s'.", 
                                       $name,
                               );
-                       $name = 'violation';
                       1 while $subject =~ s/suppressed/_/g;
               };

--- 59,65 ----
"Security violation -- scripting character in page name '%s'.", 
                                       $name,
                               );
+                       $name = find_special_page('violation');
                       1 while $subject =~ s/suppressed/_/g;
               };

***************
*** 84,100 ****
       my($name) = @_;
       my($page);

       $name =~ m/[\[<]|suppressed@_]|suppressed@suppressed@/
               and do {
                       ::logGlobal(
"Security violation -- scripting character in page name '%s'.", 
                                       $name,
                               );
-                       $name = 'violation';
                       return display_special_page($name);
               };

-       $name = $CGI::values{mv_nextpage} unless $name;
 #::logDebug("display_page: $name");
       if($Vend::Cfg->{ExtraSecure} and
               $Vend::Cfg->{AlwaysSecure}->{$name}
--- 83,100 ----
       my($name) = @_;
       my($page);

+       $name ||= $CGI::values{mv_nextpage};
+
       $name =~ m/[\[<]|suppressed@_]|suppressed@suppressed@/
               and do {
                       ::logGlobal(
"Security violation -- scripting character in page name '%s'.", 
                                       $name,
                               );
+                       $name = find_special_page('violation');
                       return display_special_page($name);
               };

 #::logDebug("display_page: $name");
       if($Vend::Cfg->{ExtraSecure} and
               $Vend::Cfg->{AlwaysSecure}->{$name}
suppressed Vend]#

--

Barry Treahy, Jr                       E-mail: suppressed
Midwest Microwave                          Phone: 480/314-1320
Vice President & CIO                         FAX: 480/661-7028


_______________________________________________
interchange-users mailing list
suppressed
http://www.icdevgroup.org/mailman/listinfo/interchange-users

Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.