[Date Prev][Date Next][Thread Prev][Thread Next][Minivend by date
][Minivend by thread
]
RE: HACKED [mv] eWeek using Minivend in our openhack project
****** message to minivend-users from "Kevin Walsh" <kevin@cursor-software.co.uk> ******
> I have duplicated this with a test v4.04 simple catalog.
>
> I had not taken the time to explore the view_page.html file when I converted
> my primary catalog from v3.14 to v4.04 so I removed it originally.
>
> My questions to you all are:
>
> 1) It seems to be a problem that is specific to this default page. Can
> someone confirm this?
> 2) Does this bug in util.pm open MiniVend to attacks in other functions?
> 3) Can we safeguard our catalogs by simply removing the file?
> 4) Are there other functions that rely on this page? I could find none when
> I converted to v4.04 and I seen none since.
>
> I was pleased to hear of this contest because security is or should be a
> major concern for all of us.
>
> I hope Tim and the others will fix this hole and reset the counter so that
> more can be sought.
>
Just change the above line in view_page.html to
[elsif session arg =~ /\||^\/|\.\./]
or remove the view_page.html altogether. Util.pm is ok.
We don't have view_page.html on our system.
--
_/ _/ _/_/_/_/ _/ _/ _/_/_/ _/ _/
_/_/_/ _/_/ _/ _/ _/ _/_/ _/ K e v i n W a l s h
_/ _/ _/ _/ _/ _/ _/ _/_/ kevin@cursor-software.co.uk
_/ _/ _/_/_/_/ _/ _/_/_/ _/ _/
-
To unsubscribe from the list, DO NOT REPLY to this message. Instead, send
email with 'UNSUBSCRIBE minivend-users' in the body to Majordomo@minivend.com.
Archive of past messages: http://www.minivend.com/minivend/minivend-list
