[Date Prev][Date Next][Thread Prev][Thread Next][Minivend by date
][Minivend by thread
]
[mv] MV 4.04 - Minor MiniMate security bug patch
****** message to minivend-users from Randy Moore <ramoore@axion-it.net> ******
Hi folks,
I ran into an odd situation where in one of my stores anyone could get into
the MiniMate pages without authentication. It turned out the I had
inserted an empty user record in the 'minimate' database, so non-logged in
users were suddenly matching a valid (but blank) line in the 'minimate'
database. This seemed to completely confuse the '[if-mm]' tag.
Once the blank line was added, it could not be removed through the MiniMate
web interface. I had to manually edit the minimate.asc file.
There clearly should never be a blank entry in the 'minimate' database, but
if it happened once, it will probably happen again. Since this caused a
rather significant security problem, I decided a code fix to catch this
situation might be in order.
--- CfgMgr.pm.orig Sun May 28 15:09:22 2000
+++ CfgMgr.pm Sun May 28 15:10:16 2000
@@ -277,4 +277,7 @@
$db = $db->ref() unless $Vend::Interpolate::Db{$table};
my $uid = $Vend::Session->{username} || $CGI::remote_user;
+ if($uid eq "" ) {
+ return 0;
+ }
if(! $db->record_exists($uid) ) {
return 0;
An alternate solution might be to fix this in the 'record_exists()'
function but I didn't know what side effects that might have.
Hope this helps.
Randy Moore
Axion Information Technologies, Inc.
email ramoore@axion-it.net
phone 301-408-1200
fax 301-445-3947
-
To unsubscribe from the list, DO NOT REPLY to this message. Instead, send
email with 'UNSUBSCRIBE minivend-users' in the body to Majordomo@minivend.com.
Archive of past messages: http://www.minivend.com/minivend/minivend-list