[ic] Security Problem in Interchange
Stefan Hornburg
racke at linuxia.de
Mon Mar 29 14:30:02 EST 2004
On Mon, 29 Mar 2004 11:03:32 -0700
"Barry Treahy, Jr." <Treahy at mmaz.com> wrote:
> Stefan Hornburg wrote:
>
> >On Mon, 29 Mar 2004 09:35:48 -0700
> >"Barry Treahy, Jr." <Treahy at mmaz.com> wrote:
> >
> >
> >
> >>Stefan Hornburg wrote:
> >>
> >>
> >>
> >>>On Mon, 29 Mar 2004 08:25:14 -0700
> >>>"Barry Treahy, Jr." <Treahy at mmaz.com> wrote:
> >>>
> >>>
> >>>
> >>>
> >>>>Stefan Hornburg wrote:
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>Dear Interchange community !
> >>>>>
> >>>>>All versions of Interchange (4.8.x, 5.0.x, 5.1.x) contain a security hole
> >>>>>which allows an attacker to expose arbitrary variable contents by using
> >>>>>an URL like http://shop.example.com/cgi-bin/store/__SQLUSER__.
> >>>>>
> >>>>>All Interchange applications using the standard "missing" special page
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>from the demo catalog or a similar one are vulnerable to this attack.
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>The attacker may learn the SQL access information for your Interchange
> >>>>>application and use this information to read and manipulate sensitive
> >>>>>data.
> >>>>>
> >>>>>Attached are patches for the following Interchange versions:
> >>>>>
> >>>>>4.8.x: Page-4.8.diff
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>I manually applied this patch to the 4.8.6 system I have running,
> >>>>restarted IC, flushed my browser cache and still seeing the same
> >>>>results... any thoughts?
> >>>>
> >>>>
> >>>>
> >>>>
> >>>You can use the attached update patch. It works on my 4.8 system, but
> >>>no guarantees whatsoever ...
> >>>
> >>>Any test reports are welcome.
> >>>
> >>>
> >>>
> >>>
> >>>
> >>I tried the patch first, being lazy, and it didn't work (the reject file
> >>is below). I then tried manually applying the patch and still not
> >>proper results... Looking at the page presented, I leave info tags and
> >>I'm at this page:
> >>
> >>
> >
> >I attached Page.pm from 4.8.6, with my patch applied.
> >Please recheck.
> >
> >
> >
> That worked, it redirected to the violation page which then produced
> some very ugly results, I suspect mainly because it had never been
> targeted... Thanks again!
Thanks for your report in the first place. The violation pages is
pretty broken, I can admit that :-;. Better than a breakin anyway.
Racke
More information about the interchange-users
mailing list