[Date Prev][Date Next][Thread Prev][Thread Next][Minivend by date
][Minivend by thread
]
2nd man of the day ! Re: [mv] MV 4.04 - Minor MiniMate security bugpatch
****** message to minivend-users from Birgitt Funk <birgitt@my-books.com> ******
What is going on with you today ? Everyone is contributing first class
stuff. 8-) Terrific. Thanks !
Birgitt
On Sun, 28 May 2000, Randy Moore wrote:
> ****** message to minivend-users from Randy Moore <ramoore@axion-it.net> ******
>
> Hi folks,
>
> I ran into an odd situation where in one of my stores anyone could get into
> the MiniMate pages without authentication. It turned out the I had
> inserted an empty user record in the 'minimate' database, so non-logged in
> users were suddenly matching a valid (but blank) line in the 'minimate'
> database. This seemed to completely confuse the '[if-mm]' tag.
>
> Once the blank line was added, it could not be removed through the MiniMate
> web interface. I had to manually edit the minimate.asc file.
>
> There clearly should never be a blank entry in the 'minimate' database, but
> if it happened once, it will probably happen again. Since this caused a
> rather significant security problem, I decided a code fix to catch this
> situation might be in order.
>
>
> --- CfgMgr.pm.orig Sun May 28 15:09:22 2000
> +++ CfgMgr.pm Sun May 28 15:10:16 2000
> @@ -277,4 +277,7 @@
> $db = $db->ref() unless $Vend::Interpolate::Db{$table};
> my $uid = $Vend::Session->{username} || $CGI::remote_user;
> + if($uid eq "" ) {
> + return 0;
> + }
> if(! $db->record_exists($uid) ) {
> return 0;
>
>
> An alternate solution might be to fix this in the 'record_exists()'
> function but I didn't know what side effects that might have.
>
>
> Hope this helps.
>
>
> Randy Moore
> Axion Information Technologies, Inc.
>
> email ramoore@axion-it.net
> phone 301-408-1200
> fax 301-445-3947
> -
> To unsubscribe from the list, DO NOT REPLY to this message. Instead, send
> email with 'UNSUBSCRIBE minivend-users' in the body to Majordomo@minivend.com.
> Archive of past messages: http://www.minivend.com/minivend/minivend-list
>
-
To unsubscribe from the list, DO NOT REPLY to this message. Instead, send
email with 'UNSUBSCRIBE minivend-users' in the body to Majordomo@minivend.com.
Archive of past messages: http://www.minivend.com/minivend/minivend-list