[ic] security

John Beima jbeima@reality.palb.com
Thu, 25 Jan 2001 21:45:18 -0700 (MST) 

G'Day Ron,

What you must do is use a utility like phpMyAdmin and open up the UserDB table, 
then compare every variable type with the userdb.mysql file. You will find at 
least two hard coded mistakes...

Then if I recall right, as of some version of 4.0X and now in the 4.6.X tree 
there are new fields that are created that arn't even in the userdb.mysql file.

That and one other golden little change allows you to successfully export and 
re-import the UserDB file, at any time.

John Beima


Quoting Ron Phipps <rphipps@reliant-solutions.com>:

> Thanks John,
> 
> We had plan to remove the auto creation routines and require users to
> create
> an account the normal way to checkout.  I'll checkout the userdb.mysql
> file
> and see if there are any differences.  Have a good one.
> 
> -Ron
> 
> ----- Original Message -----
> From: "John Beima" <jbeima@reality.palb.com>
> To: <interchange-users@lists.akopia.com>
> Sent: Thursday, January 25, 2001 8:15 PM
> Subject: Re: [ic] security
> 
> 
> > Oh and the reason the user is able to see another users data, appears
> to
> be a
> > session issue.
> >
> > The routines that create the blank user, are the auto-account creation
> routines
> > on the check-out page. If you remove them as well, teh user hopping
> stops.
> >
> > It appears if MiniVend is not able to create an account in the UserDB,
> my
> guess
> > would be there are two orders going through at the same time trying to
> > auto-create the same account name, since it is an incrementing number,
> the
> > second one fails, and instead of an error generating, recieves the
> user
> info
> > from the last logged in client, or the other user creation that it
> collided
> > with.
> >
> > Either which way, removal of the auto-account creation routines from
> the
> > check-out page, and fixing of the userdb.mysql file should stop all
> your
> > problems dead in the water...
> >
> > John Beima
> >
> >
> > Quoting Ron Phipps <rphipps@reliant-solutions.com>:
> >
> > > Sonny,
> > >
> > > I just had a client report that his users were able to login without
> > > specifying a username and password.  When they did it would pull up
> info
> > > for
> > > a person by the name of Kelly.  I looked in the db and sure enough
> the
> > > username field was blank.  It appears that there is a bug somewher
> ein
> > > the
> > > accoutn creation routine that allows for this happen.  We have not
> seen
> > > hwo
> > > this is done, jsut know that it can be done.  Any ideas?
> > >
> > > Thanks,
> > > -Ron
> > >
> > > ----- Original Message -----
> > > From: "Sonny Cook" <sonny@akopia.com>
> > > To: <interchange-users@minivend.com>
> > > Sent: Monday, November 27, 2000 11:34 AM
> > > Subject: Re: [ic] security
> > >
> > >
> > > > Although it is not technically a bug, a blank username in the
> system
> > > will
> > > > do bad things.  Any way that exists to create a user with a blank
> > > username
> > > > is a bug.  If you discover any ways to do this (within
> interchange)
> > > please
> > > > report it.
> > > >
> > > > ---
> > > > Sonny Cook
> > > > Akopia
> > > >
> > > > "I don't want fifteen dollars."  --Franklin D. Rooselvelt
> > > >
> > > > On Sun, 26 Nov 2000, John Beima wrote:
> > > >
> > > > > Actually after looking through your databases, I must assure
> > > everyone
> > > this is
> > > > > NOT I repeat NOT a bug...
> > > > >
> > > > > You have had 102 people use the auto creation of a user account
> on
> > > your
> > > checkout
> > > > > page. Which may be part of the source of the problem, but it
> seems
> > > to be
> > > workign
> > > > > fine.
> > > > >
> > > > > There were at LEAST ten invoices sold to an account with " " as
> the
> > > username and
> > > > >  " " as the password. What is just happening is each person down
> the
> > > line is
> > > > > logging on as the last person hences having his data retrieved.
> > > > >
> > > > > I am not sure how they are creating an account with a 1
> character
> > > space
> > > as the
> > > > > username and password, but someone did. The rest just logged on
> > > under
> > > it.
> > > > >
> > > > > Maybe we should beg Mike to take a little look into this. Peter
> is
> > > running 4.5.6
> > > > > of Interchange...
> > > > >
> > > > >
> > > > > John Beima
> > > > >
> > > > >
> > > > > Quoting peterferguson <peterferguson@tinyworld.co.uk>:
> > > > >
> > > > > > Has anyone experienced seeing others user details on checkout?
> > > > > >
> > > > > > Please contact me as to how this problem can be resolve.
> > > > > >
> > > > > > Thanks,
> > > > > >
> > > > > > Pete
> > > > > >
> > > > >
> > > > >
> > > > > John Beima
> > > > > jbeima@palb.com
> > > > >
> > > > > P.A.L.B. Systems - Phone: (780)451-1086 - Fax: (780)447-4760
> > > > > 11639-122 Street, Edmonton, Alberta, Canada, T5M 0B6
> > > > >
> > > > > _______________________________________________
> > > > > Interchange-users mailing list
> > > > > Interchange-users@www.minivend.com
> > > > > http://www.minivend.com/mailman/listinfo/interchange-users
> > > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > Interchange-users mailing list
> > > > Interchange-users@www.minivend.com
> > > > http://www.minivend.com/mailman/listinfo/interchange-users
> > >
> > >
> > > _______________________________________________
> > > Interchange-users mailing list
> > > Interchange-users@lists.akopia.com
> > > http://lists.akopia.com/mailman/listinfo/interchange-users
> > >
> >
> >
> >
> > John Beima
> > jbeima@palb.com
> >
> > P.A.L.B. Systems - Phone: (780)451-1086 - Fax: (780)447-4760
> > 11639-122 Street, Edmonton, Alberta, Canada, T5M 0B6
> >
> > _______________________________________________
> > Interchange-users mailing list
> > Interchange-users@lists.akopia.com
> > http://lists.akopia.com/mailman/listinfo/interchange-users
> 
> 
> _______________________________________________
> Interchange-users mailing list
> Interchange-users@lists.akopia.com
> http://lists.akopia.com/mailman/listinfo/interchange-users
> 



John Beima
jbeima@palb.com, support@alocalagent.com, and support@alocalchurch.com

P.A.L.B. Systems - Phone: (780)451-1086 - Fax: (780)447-4760
11639-122 Street, Edmonton, Alberta, Canada, T5M 0B6

Affordabel Web Pages - Phone: (888)932-9990 - Fax: (256)351-7297
2713B Spring Place SW, Decatur, Alabama, United States, 35603