[Date Prev][Date Next][Thread Prev][Thread Next][Minivend by date
][Minivend by thread
]
Re: [mv] MV 4.04 - Minor MiniMate security bug patch
****** message to minivend-users from Mike Heins <mikeh@minivend.com> ******
Quoting Randy Moore (ramoore@axion-it.net):
>
> Hi folks,
>
> I ran into an odd situation where in one of my stores anyone could get into
> the MiniMate pages without authentication. It turned out the I had
> inserted an empty user record in the 'minimate' database, so non-logged in
> users were suddenly matching a valid (but blank) line in the 'minimate'
> database. This seemed to completely confuse the '[if-mm]' tag.
>
> Once the blank line was added, it could not be removed through the MiniMate
> web interface. I had to manually edit the minimate.asc file.
>
> There clearly should never be a blank entry in the 'minimate' database, but
> if it happened once, it will probably happen again. Since this caused a
> rather significant security problem, I decided a code fix to catch this
> situation might be in order.
>
>
> --- CfgMgr.pm.orig Sun May 28 15:09:22 2000
> +++ CfgMgr.pm Sun May 28 15:10:16 2000
> @@ -277,4 +277,7 @@
> $db = $db->ref() unless $Vend::Interpolate::Db{$table};
> my $uid = $Vend::Session->{username} || $CGI::remote_user;
> + if($uid eq "" ) {
> + return 0;
> + }
> if(! $db->record_exists($uid) ) {
> return 0;
Thank you. This will be put in 4.5.0 as well as 4.4.1 slightly changed,
but to the same effect. I love fixes!
--
Internet Robotics, 131 Willow Lane, Floor 2, Oxford, OH 45056
phone +1.513.523.7621 fax 7501 <mikeh@minivend.com>
Any man who is under 30, and is not liberal, has not heart; and any man
who is over 30, and is not a conservative, has not brains.
-- Winston Churchill
-
To unsubscribe from the list, DO NOT REPLY to this message. Instead, send
email with 'UNSUBSCRIBE minivend-users' in the body to Majordomo@minivend.com.
Archive of past messages: http://www.minivend.com/minivend/minivend-list
