Akopia Akopia Services

[Date Prev][Date Next][Thread Prev][Thread Next][Minivend by date ][Minivend by thread ]

[mv] MV 4.04 - Minor MiniMate security bug patch



******    message to minivend-users from Randy Moore <ramoore@axion-it.net>     ******

Hi folks,

I ran into an odd situation where in one of my stores anyone could get into 
the MiniMate pages without authentication.  It turned out the I had 
inserted an empty user record in the 'minimate' database, so non-logged in 
users were suddenly matching a valid (but blank) line in the 'minimate' 
database.  This seemed to completely confuse the '[if-mm]' tag.

Once the blank line was added, it could not be removed through the MiniMate 
web interface.  I had to manually edit the minimate.asc file.

There clearly should never be a blank entry in the 'minimate' database, but 
if it happened once, it will probably happen again.  Since this caused a 
rather significant security problem, I decided a code fix to catch this 
situation might be in order.


--- CfgMgr.pm.orig      Sun May 28 15:09:22 2000
+++ CfgMgr.pm   Sun May 28 15:10:16 2000
@@ -277,4 +277,7 @@
         $db = $db->ref() unless $Vend::Interpolate::Db{$table};
         my $uid = $Vend::Session->{username} || $CGI::remote_user;
+       if($uid eq "" ) {
+               return 0;
+       }
         if(! $db->record_exists($uid) ) {
                 return 0;


An alternate solution might be to fix this in the 'record_exists()' 
function but I didn't know what side effects that might have.


Hope this helps.


Randy Moore
Axion Information Technologies, Inc.

email     ramoore@axion-it.net
phone   301-408-1200
fax        301-445-3947
-
To unsubscribe from the list, DO NOT REPLY to this message.  Instead, send
email with 'UNSUBSCRIBE minivend-users' in the body to Majordomo@minivend.com.
Archive of past messages: http://www.minivend.com/minivend/minivend-list


Search for: Match: Format: Sort by: