[Date Prev][Date Next][Thread Prev][Thread Next][Minivend by date
][Minivend by thread
]
Re: HACKED [mv] eWeek using Minivend in our openhack project
****** message to minivend-users from "Michael Schwartz" <michael@panamacom.com> ******
Hi,
I haven't seen any other messages concerning this issue..i did the
test....and i also tried in several other pages but didnt worked, just in
view_page, so my guess is that this security problem affects view_page
only...
Someone else has any other info concerning this?
Thanks
----- Original Message -----
From: Cameron B. Prince <cbp@internetexpertsllc.com>
To: <minivend-users@minivend.com>
Sent: Monday, July 03, 2000 11:55 AM
Subject: RE: HACKED [mv] eWeek using Minivend in our openhack project
> ****** message to minivend-users from "Cameron B. Prince"
<cbp@InternetExpertsLLC.com> ******
>
> I have duplicated this with a test v4.04 simple catalog.
>
> I had not taken the time to explore the view_page.html file when I
converted
> my primary catalog from v3.14 to v4.04 so I removed it originally.
>
> My questions to you all are:
>
> 1) It seems to be a problem that is specific to this default page. Can
> someone confirm this?
> 2) Does this bug in util.pm open MiniVend to attacks in other functions?
> 3) Can we safeguard our catalogs by simply removing the file?
> 4) Are there other functions that rely on this page? I could find none
when
> I converted to v4.04 and I seen none since.
>
> I was pleased to hear of this contest because security is or should be a
> major concern for all of us.
>
> I hope Tim and the others will fix this hole and reset the counter so that
> more can be sought.
>
> Thanks for your dedication.
>
>
> Cameron
>
>
> -----Original Message-----
> From: owner-minivend-users@minivend.com
> [mailto:owner-minivend-users@minivend.com]On Behalf Of Alexander Lazic
> Sent: Monday, July 03, 2000 3:33 AM
> To: henry_baltazar@ziffdavis.com; timothy_dyck@ziffdavis.com
> Cc: minivend-users@minivend.com; Timothy Dyck
> Subject: Re: HACKED [mv] eWeek using Minivend in our openhack project
>
> ****** message to minivend-users from Alexander Lazic <all@gmx.at>
> ******
>
> hi,
>
> > Since we are paying money if anyone can crack into the store ($1,500),
> > it's possible that someone is going to go through the code looking for
> > ways to exploit any holes. Other than the advice in the FAQ on "Is
> > MiniVend secure" and in the "MiniVend Security" section of the manual,
> are
> > there any other security tips people can provide to keep our site locked
> > down? Thanks very much.
>
> there is a sec. hole in the minivend Util.pm - module
>
> routine readfile at line 810:
>
> --cut here---
> return undef if ! open(READIN, $file);
> --cut here---
>
> ... minivend file view_page.html:
>
> ---cut here---
> [elsif session arg =~ /^\/|\.\./]
> ---cut here---
>
> does no proper input validation checks (they forgot about the "|" :)
>
> these two problems do allow http-request like:
>
> https://www.openhack.com/cgi-bin/eweekorcl/view_page.html?mv_arg=|ls|
>
> so anybody can execute "any" command with minivend`s permissions ..
>
> /* with the ORACLE_USERID=minivend/hugepassword@orcl and sqlplus it should
> be easy to execute queries on the oracle database
> .. unfortunately the user minivend is not allowed to set
> environment-variables .. due to lack of time we were not able to h
> ave a closer look at this ... */
>
> thats all
>
> almei
>
> --
> Sent through GMX FreeMail - http://www.gmx.net
>
> -
> To unsubscribe from the list, DO NOT REPLY to this message. Instead, send
> email with 'UNSUBSCRIBE minivend-users' in the body to
> Majordomo@minivend.com.
> Archive of past messages: http://www.minivend.com/minivend/minivend-list
>
> -
> To unsubscribe from the list, DO NOT REPLY to this message. Instead, send
> email with 'UNSUBSCRIBE minivend-users' in the body to
Majordomo@minivend.com.
> Archive of past messages: http://www.minivend.com/minivend/minivend-list
>
-
To unsubscribe from the list, DO NOT REPLY to this message. Instead, send
email with 'UNSUBSCRIBE minivend-users' in the body to Majordomo@minivend.com.
Archive of past messages: http://www.minivend.com/minivend/minivend-list
