[ic] Security Problem in Interchange

Barry Treahy, Jr. Treahy at MMaz.com
Mon Mar 29 13:03:32 EST 2004 

Stefan Hornburg wrote:

>On Mon, 29 Mar 2004 09:35:48 -0700
>"Barry Treahy, Jr." <Treahy at mmaz.com> wrote:
>
>  
>
>>Stefan Hornburg wrote:
>>
>>    
>>
>>>On Mon, 29 Mar 2004 08:25:14 -0700
>>>"Barry Treahy, Jr." <Treahy at mmaz.com> wrote:
>>> 
>>>
>>>      
>>>
>>>>Stefan Hornburg wrote:
>>>>   
>>>>
>>>>        
>>>>
>>>>>Dear Interchange community !
>>>>>
>>>>>All versions of Interchange (4.8.x, 5.0.x, 5.1.x) contain a security hole
>>>>>which allows an attacker to expose arbitrary variable contents by using
>>>>>an URL like http://shop.example.com/cgi-bin/store/__SQLUSER__. 
>>>>>
>>>>>All Interchange applications using the standard "missing" special page
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>>from the demo catalog or a similar one are vulnerable to this attack.
>>>>   
>>>>
>>>>        
>>>>
>>>>>The attacker may learn the SQL access information for your Interchange
>>>>>application and use this information to read and manipulate sensitive
>>>>>data. 
>>>>>
>>>>>Attached are patches for the following Interchange versions:
>>>>>
>>>>>4.8.x:     Page-4.8.diff
>>>>>
>>>>>
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>I manually applied this patch to the 4.8.6 system I have running, 
>>>>restarted IC, flushed my browser cache and still seeing the same 
>>>>results...  any thoughts?
>>>>   
>>>>
>>>>        
>>>>
>>>You can use the attached update patch. It works on my 4.8 system, but
>>>no guarantees whatsoever ...
>>>
>>>Any test reports are welcome.
>>>
>>> 
>>>
>>>      
>>>
>>I tried the patch first, being lazy, and it didn't work (the reject file 
>>is below).  I then tried manually applying the patch and still not 
>>proper results... Looking at the page presented, I leave info tags and 
>>I'm at this page:
>>    
>>
>
>I attached Page.pm from 4.8.6, with my patch applied.
>Please recheck.
>
>  
>
That worked, it redirected to the violation page which then produced 
some very ugly results, I suspect mainly because it had never been 
targeted...  Thanks again!

Barry

-- 

Barry Treahy, Jr                       E-mail: Treahy at MMaz.com
Midwest Microwave                          Phone: 480/314-1320
Vice President & CIO                         FAX: 480/661-7028

More information about the interchange-users mailing list