[ic] Security Problem in Interchange (Update for 4.8.x)

Stefan Hornburg racke at linuxia.de
Mon Mar 29 11:52:10 EST 2004


Dear Interchange community !

This is an inmportant update of the last report about the security hole
as we found the patch for 4.8.x non-functional. If you already applied
the patch from the last report, please contact me for an incremental
patch.

All versions of Interchange (4.8.x, 5.0.x, 5.1.x) contain a security hole
which allows an attacker to expose arbitrary variable contents by using
an URL like http://shop.example.com/cgi-bin/store/__SQLUSER__. 

All Interchange applications using the standard "missing" special page
from the demo catalog or a similar one are vulnerable to this attack.
The attacker may learn the SQL access information for your Interchange
application and use this information to read and manipulate sensitive
data. 

Attached are patches for the following Interchange versions:

4.8.x:     Page-4.8.diff
5.0.x:     Page-5.0.diff
5.1.x/CVS: Page-5.1.diff

To apply the patch for your Interchange version, enter the
directory Vend resp. lib/Vend below your Interchange installation
directory and run the following command:

patch -p3 < /path/to/Page.diff

Please replace the file name of the patch file with the 
appropriate location.

Tarballs and Debian packages for Interchange 4.8.8 and Interchange 5.0.1
will be released shortly.

	Racke

-- 
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team

-------------- next part --------------
diff -u -r2.16 -r2.17
--- interchange-5.0.0/lib/Vend/Page.pm	27 Dec 2003 01:08:33 -0000	2.16
+++ interchange-5.0.1/lib/Vend/Page.pm	28 Mar 2004 20:29:39 -0000	2.17
@@ -56,16 +56,17 @@
 
 	undef $Vend::write_redirect;
 
-	$name =~ m/[\[<]+/g
+	$name =~ m/[\[<]|[\@_]_[A-Z]\w+_[\@_]|\@\@[A-Z]\w+\@\@/
 		and do {
 			::logGlobal(
 					"Security violation -- scripting character in page name '%s'.",
 					$name,
 				);
-			$name = 'violation';
+			$name = find_special_page('violation');
+			1 while $subject =~ s/[\@_]_/_/g;
 		};
 
-	$subject = $subject || 'unspecified error';
+	$subject ||= 'unspecified error';
 
 	my $noname = $name;
 	$noname =~ s:^\.\./::;
@@ -88,17 +89,17 @@
 	my($name, $opt) = @_;
 	my($page);
 
-	$name =~ m/[\[<]+/g
+	$name ||= $CGI::values{mv_nextpage};
+
+	$name =~ m/[\[<]|[\@_]_[A-Z]\w+_[\@_]|\@\@[A-Z]\w+\@\@/
 		and do {
 			::logGlobal(
 					"Security violation -- scripting character in page name '%s'.",
 					$name,
 				);
-			$name = 'violation';
+			$name = find_special_page('violation');
 			return display_special_page($name);
 		};
-
-	$name = $CGI::values{mv_nextpage} unless $name;
 
 	if($Vend::Cfg->{ExtraSecure} and
 		$Vend::Cfg->{AlwaysSecure}->{$name}


-------------- next part --------------
diff -u -r2.16 -r2.17
--- interchange-5.1.0-vanilla/lib/Vend/Page.pm	27 Dec 2003 01:08:33 -0000	2.16
+++ interchange-5.1.0/lib/Vend/Page.pm	28 Mar 2004 20:29:39 -0000	2.17
@@ -56,13 +56,14 @@
 
 	undef $Vend::write_redirect;
 
-	$name =~ m/[\[<]/
+	$name =~ m/[\[<]|[\@_]_[A-Z]\w+_[\@_]|\@\@[A-Z]\w+\@\@/
 		and do {
 			::logGlobal(
 					"Security violation -- scripting character in page name '%s'.",
 					$name,
 				);
-			$name = 'violation';
+			$name = find_special_page('violation');
+			1 while $subject =~ s/[\@_]_/_/g;
 		};
 
 	$subject ||= 'unspecified error';
@@ -90,13 +91,13 @@
 
 	$name ||= $CGI::values{mv_nextpage};
 
-	$name =~ m/[\[<]/
+	$name =~ m/[\[<]|[\@_]_[A-Z]\w+_[\@_]|\@\@[A-Z]\w+\@\@/
 		and do {
 			::logGlobal(
 					"Security violation -- scripting character in page name '%s'.",
 					$name,
 				);
-			$name = 'violation';
+			$name = find_special_page('violation');
 			return display_special_page($name);
 		};
 

-------------- next part --------------
diff -u -r2.0.2.5 -r2.0.2.7
--- interchange-4.8.7/lib/Vend/Page.pm	26 Nov 2002 03:21:10 -0000	2.0.2.5
+++ interchange-4.8.8/lib/Vend/Page.pm	29 Mar 2004 16:32:27 -0000	2.0.2.7
@@ -54,13 +54,14 @@
 	my($name, $subject) = @_;
 	my($page);
 
-	$name =~ m/[\[<]+/g
+	$name =~ m/[\[<]|[\@_]_[A-Z]\w+_[\@_]|\@\@[A-Z]\w+\@\@/
 		and do {
 			::logGlobal(
 					"Security violation -- scripting character in page name '%s'.",
 					$name,
 				);
-			$name = 'violation';
+			$name = find_special_page('violation');
+			1 while $subject =~ s/[\@_]_/_/g;
 		};
 
 	$subject = $subject || 'unspecified error';
@@ -83,17 +84,18 @@
 	my($name) = @_;
 	my($page);
 
-	$name =~ m/[\[<]+/g
+	$name ||= $CGI::values{mv_nextpage};
+	
+	$name =~ m/[\[<]|[\@_]_[A-Z]\w+_[\@_]|\@\@[A-Z]\w+\@\@/
 		and do {
 			::logGlobal(
 					"Security violation -- scripting character in page name '%s'.",
 					$name,
 				);
-			$name = 'violation';
+			$name = find_special_page('violation');
 			return display_special_page($name);
 		};
 
-	$name = $CGI::values{mv_nextpage} unless $name;
 #::logDebug("display_page: $name");
 	if($Vend::Cfg->{ExtraSecure} and
 		$Vend::Cfg->{AlwaysSecure}->{$name}


More information about the interchange-users mailing list