[ic] Security Problem in Interchange (Update for 4.8.x)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ic] Security Problem in Interchange (Update for 4.8.x)

Subject: [ic] Security Problem in Interchange (Update for 4.8.x)
Date: Mon, 29 Mar 2004 18:52:10 +0200
From: Stefan Hornburg <suppressed>

Dear Interchange community !

This is an inmportant update of the last report about the security hole
as we found the patch for 4.8.x non-functional. If you already applied
the patch from the last report, please contact me for an incremental
patch.

All versions of Interchange (4.8.x, 5.0.x, 5.1.x) contain a security hole
which allows an attacker to expose arbitrary variable contents by using
an URL like http://shop.example.com/cgi-bin/store/__SQLUSER__. 

All Interchange applications using the standard "missing" special page
from the demo catalog or a similar one are vulnerable to this attack.
The attacker may learn the SQL access information for your Interchange
application and use this information to read and manipulate sensitive
data. 

Attached are patches for the following Interchange versions:

4.8.x:     Page-4.8.diff
5.0.x:     Page-5.0.diff
5.1.x/CVS: Page-5.1.diff

To apply the patch for your Interchange version, enter the
directory Vend resp. lib/Vend below your Interchange installation
directory and run the following command:

patch -p3 < /path/to/Page.diff

Please replace the file name of the patch file with the 
appropriate location.

Tarballs and Debian packages for Interchange 4.8.8 and Interchange 5.0.1
will be released shortly.

	Racke

-- 
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team

diff -u -r2.16 -r2.17
--- interchange-5.0.0/lib/Vend/Page.pm	27 Dec 2003 01:08:33 -0000	2.16
+++ interchange-5.0.1/lib/Vend/Page.pm	28 Mar 2004 20:29:39 -0000	2.17
@@ -56,16 +56,17 @@
 
 	undef $Vend::write_redirect;
 
-	$name =~ m/[\[<]+/g
+	$name =~ m/[\[<]|suppressed@_]|suppressed@suppressed@/
 		and do {
 			::logGlobal(
 					"Security violation -- scripting character in page name '%s'.",
 					$name,
 				);
-			$name = 'violation';
+			$name = find_special_page('violation');
+			1 while $subject =~ s/suppressed/_/g;
 		};
 
-	$subject = $subject || 'unspecified error';
+	$subject ||= 'unspecified error';
 
 	my $noname = $name;
 	$noname =~ s:^\.\./::;
@@ -88,17 +89,17 @@
 	my($name, $opt) = @_;
 	my($page);
 
-	$name =~ m/[\[<]+/g
+	$name ||= $CGI::values{mv_nextpage};
+
+	$name =~ m/[\[<]|suppressed@_]|suppressed@suppressed@/
 		and do {
 			::logGlobal(
 					"Security violation -- scripting character in page name '%s'.",
 					$name,
 				);
-			$name = 'violation';
+			$name = find_special_page('violation');
 			return display_special_page($name);
 		};
-
-	$name = $CGI::values{mv_nextpage} unless $name;
 
 	if($Vend::Cfg->{ExtraSecure} and
 		$Vend::Cfg->{AlwaysSecure}->{$name}

diff -u -r2.16 -r2.17
--- interchange-5.1.0-vanilla/lib/Vend/Page.pm	27 Dec 2003 01:08:33 -0000	2.16
+++ interchange-5.1.0/lib/Vend/Page.pm	28 Mar 2004 20:29:39 -0000	2.17
@@ -56,13 +56,14 @@
 
 	undef $Vend::write_redirect;
 
-	$name =~ m/[\[<]/
+	$name =~ m/[\[<]|suppressed@_]|suppressed@suppressed@/
 		and do {
 			::logGlobal(
 					"Security violation -- scripting character in page name '%s'.",
 					$name,
 				);
-			$name = 'violation';
+			$name = find_special_page('violation');
+			1 while $subject =~ s/suppressed/_/g;
 		};
 
 	$subject ||= 'unspecified error';
@@ -90,13 +91,13 @@
 
 	$name ||= $CGI::values{mv_nextpage};
 
-	$name =~ m/[\[<]/
+	$name =~ m/[\[<]|suppressed@_]|suppressed@suppressed@/
 		and do {
 			::logGlobal(
 					"Security violation -- scripting character in page name '%s'.",
 					$name,
 				);
-			$name = 'violation';
+			$name = find_special_page('violation');
 			return display_special_page($name);
 		};

diff -u -r2.0.2.5 -r2.0.2.7
--- interchange-4.8.7/lib/Vend/Page.pm	26 Nov 2002 03:21:10 -0000	2.0.2.5
+++ interchange-4.8.8/lib/Vend/Page.pm	29 Mar 2004 16:32:27 -0000	2.0.2.7
@@ -54,13 +54,14 @@
 	my($name, $subject) = @_;
 	my($page);
 
-	$name =~ m/[\[<]+/g
+	$name =~ m/[\[<]|suppressed@_]|suppressed@suppressed@/
 		and do {
 			::logGlobal(
 					"Security violation -- scripting character in page name '%s'.",
 					$name,
 				);
-			$name = 'violation';
+			$name = find_special_page('violation');
+			1 while $subject =~ s/suppressed/_/g;
 		};
 
 	$subject = $subject || 'unspecified error';
@@ -83,17 +84,18 @@
 	my($name) = @_;
 	my($page);
 
-	$name =~ m/[\[<]+/g
+	$name ||= $CGI::values{mv_nextpage};
+	
+	$name =~ m/[\[<]|suppressed@_]|suppressed@suppressed@/
 		and do {
 			::logGlobal(
 					"Security violation -- scripting character in page name '%s'.",
 					$name,
 				);
-			$name = 'violation';
+			$name = find_special_page('violation');
 			return display_special_page($name);
 		};
 
-	$name = $CGI::values{mv_nextpage} unless $name;
 #::logDebug("display_page: $name");
 	if($Vend::Cfg->{ExtraSecure} and
 		$Vend::Cfg->{AlwaysSecure}->{$name}

_______________________________________________
interchange-users mailing list
suppressed
http://www.icdevgroup.org/mailman/listinfo/interchange-users

Prev by Date: [ic] profiles.order problem w/ Protx
Next by Date: Re: [ic] Security Problem in Interchange
Previous by thread: [ic] profiles.order problem w/ Protx
Next by thread: [ic] Patching 4.8.6
Index(es):
- Date
- Thread

Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.