Akopia Akopia Services

[Date Prev][Date Next][Thread Prev][Thread Next][Minivend by date ][Minivend by thread ]

2nd man of the day ! Re: [mv] MV 4.04 - Minor MiniMate security bugpatch



******    message to minivend-users from Birgitt Funk <birgitt@my-books.com>     ******


What is going on with you today ? Everyone is contributing first class
stuff. 8-) Terrific. Thanks !

Birgitt

On Sun, 28 May 2000, Randy Moore wrote:

> ******    message to minivend-users from Randy Moore <ramoore@axion-it.net>     ******
> 
> Hi folks,
> 
> I ran into an odd situation where in one of my stores anyone could get into 
> the MiniMate pages without authentication.  It turned out the I had 
> inserted an empty user record in the 'minimate' database, so non-logged in 
> users were suddenly matching a valid (but blank) line in the 'minimate' 
> database.  This seemed to completely confuse the '[if-mm]' tag.
> 
> Once the blank line was added, it could not be removed through the MiniMate 
> web interface.  I had to manually edit the minimate.asc file.
> 
> There clearly should never be a blank entry in the 'minimate' database, but 
> if it happened once, it will probably happen again.  Since this caused a 
> rather significant security problem, I decided a code fix to catch this 
> situation might be in order.
> 
> 
> --- CfgMgr.pm.orig      Sun May 28 15:09:22 2000
> +++ CfgMgr.pm   Sun May 28 15:10:16 2000
> @@ -277,4 +277,7 @@
>          $db = $db->ref() unless $Vend::Interpolate::Db{$table};
>          my $uid = $Vend::Session->{username} || $CGI::remote_user;
> +       if($uid eq "" ) {
> +               return 0;
> +       }
>          if(! $db->record_exists($uid) ) {
>                  return 0;
> 
> 
> An alternate solution might be to fix this in the 'record_exists()' 
> function but I didn't know what side effects that might have.
> 
> 
> Hope this helps.
> 
> 
> Randy Moore
> Axion Information Technologies, Inc.
> 
> email     ramoore@axion-it.net
> phone   301-408-1200
> fax        301-445-3947
> -
> To unsubscribe from the list, DO NOT REPLY to this message.  Instead, send
> email with 'UNSUBSCRIBE minivend-users' in the body to Majordomo@minivend.com.
> Archive of past messages: http://www.minivend.com/minivend/minivend-list
> 

-
To unsubscribe from the list, DO NOT REPLY to this message.  Instead, send
email with 'UNSUBSCRIBE minivend-users' in the body to Majordomo@minivend.com.
Archive of past messages: http://www.minivend.com/minivend/minivend-list


Search for: Match: Format: Sort by: