[Date Prev][Date Next][Thread Prev][Thread Next][Minivend by date
][Minivend by thread
]
Re: HACKED [mv] eWeek using Minivend in our openhack project
****** message to minivend-users from Mike Heins <mikeh@minivend.com> ******
Quoting Cameron B. Prince (cbp@internetexpertsllc.com):
>
> I have duplicated this with a test v4.04 simple catalog.
>
> I had not taken the time to explore the view_page.html file when I converted
> my primary catalog from v3.14 to v4.04 so I removed it originally.
>
> My questions to you all are:
>
> 1) It seems to be a problem that is specific to this default page. Can
> someone confirm this?
> 2) Does this bug in util.pm open MiniVend to attacks in other functions?
> 3) Can we safeguard our catalogs by simply removing the file?
> 4) Are there other functions that rely on this page? I could find none when
> I converted to v4.04 and I seen none since.
Strictly speaking, I think it is my poor programming of the page itself
which is the security risk. This is typical of Minivend and indeed
any program that allows any file access at all; it allows you to hang
yourself in some ways.
So I guess I am saying this particular hole is in the demo and not the
software itself. You would have to pass the command with
[file name="| some insecure command"] which requires pre-existing
write access. Or stupidly trying to use some non-processed filename
like I did.
I do recognize the problem with Util.pm, and have corrected it,
I believe.
I recommend all people remove view_page.html from their sites and
apply this patch:
*** minivend-4.04/lib/Vend/Util.pm Wed Apr 12 11:07:04 2000
--- minivend-4.04a/lib/Vend/Util.pm Wed Jul 5 07:06:06 2000
*************** sub readfile {
*** 807,812 ****
--- 807,813 ----
return undef;
}
+ return undef if ! -f $file;
return undef if ! open(READIN, $file);
binmode(READIN) if $Global::Windows;
### END PATCH
If you need the functionality of view_page.html, you can apply
this patch to close up the hole temporarily:
*** minivend-4.04/dist/simple/pages/view_page.html Thu Mar 9 14:08:17 2000
--- minivend-4.04a/dist/simple/pages/view_page.html Wed Jul 5 07:10:49 2000
***************
*** 1,7 ****
[new]
[if !session arg]
No argument given.
! [elsif session arg =~ /^\/|\.\./]
<H1>Why would you do something <FONT COLOR=__CONTRAST__>naughty</FONT>like putting
a leading slash or a .. in your URL? HMM???? I will use a new feature: Log("Attack from " . $Session->{remote_addr}). [mvasp] <% Log($Session->{remote_addr}) %>[/mvasp]
[/elsif]
--- 1,7 ----
[new]
[if !session arg]
No argument given.
! [elsif session arg =~ /^\/|\.\.|\|/]
<H1>Why would you do something <FONT COLOR=__CONTRAST__>naughty</FONT>like putting
a leading slash or a .. in your URL? HMM???? I will use a new feature: Log("Attack from " . $Session->{remote_addr}). [mvasp] <% Log($Session->{remote_addr}) %>[/mvasp]
[/elsif]
--
Akopia, Inc., 131 Willow Lane, Floor 2, Oxford, OH 45056
phone +1.513.523.7621 fax 7501 <heins@akopia.com>
I have a cop friend who thinks he ought be able to give a new ticket;
"too dumb for conditions".
-
To unsubscribe from the list, DO NOT REPLY to this message. Instead, send
email with 'UNSUBSCRIBE minivend-users' in the body to Majordomo@minivend.com.
Archive of past messages: http://www.minivend.com/minivend/minivend-list
