[ic] Security Problem in Interchange

Stefan Hornburg racke at linuxia.de
Mon Mar 29 14:30:02 EST 2004


On Mon, 29 Mar 2004 11:03:32 -0700
"Barry Treahy, Jr." <Treahy at mmaz.com> wrote:

> Stefan Hornburg wrote:
> 
> >On Mon, 29 Mar 2004 09:35:48 -0700
> >"Barry Treahy, Jr." <Treahy at mmaz.com> wrote:
> >
> >  
> >
> >>Stefan Hornburg wrote:
> >>
> >>    
> >>
> >>>On Mon, 29 Mar 2004 08:25:14 -0700
> >>>"Barry Treahy, Jr." <Treahy at mmaz.com> wrote:
> >>> 
> >>>
> >>>      
> >>>
> >>>>Stefan Hornburg wrote:
> >>>>   
> >>>>
> >>>>        
> >>>>
> >>>>>Dear Interchange community !
> >>>>>
> >>>>>All versions of Interchange (4.8.x, 5.0.x, 5.1.x) contain a security hole
> >>>>>which allows an attacker to expose arbitrary variable contents by using
> >>>>>an URL like http://shop.example.com/cgi-bin/store/__SQLUSER__. 
> >>>>>
> >>>>>All Interchange applications using the standard "missing" special page
> >>>>>     
> >>>>>
> >>>>>          
> >>>>>
> >>>>>from the demo catalog or a similar one are vulnerable to this attack.
> >>>>   
> >>>>
> >>>>        
> >>>>
> >>>>>The attacker may learn the SQL access information for your Interchange
> >>>>>application and use this information to read and manipulate sensitive
> >>>>>data. 
> >>>>>
> >>>>>Attached are patches for the following Interchange versions:
> >>>>>
> >>>>>4.8.x:     Page-4.8.diff
> >>>>>
> >>>>>
> >>>>>     
> >>>>>
> >>>>>          
> >>>>>
> >>>>I manually applied this patch to the 4.8.6 system I have running, 
> >>>>restarted IC, flushed my browser cache and still seeing the same 
> >>>>results...  any thoughts?
> >>>>   
> >>>>
> >>>>        
> >>>>
> >>>You can use the attached update patch. It works on my 4.8 system, but
> >>>no guarantees whatsoever ...
> >>>
> >>>Any test reports are welcome.
> >>>
> >>> 
> >>>
> >>>      
> >>>
> >>I tried the patch first, being lazy, and it didn't work (the reject file 
> >>is below).  I then tried manually applying the patch and still not 
> >>proper results... Looking at the page presented, I leave info tags and 
> >>I'm at this page:
> >>    
> >>
> >
> >I attached Page.pm from 4.8.6, with my patch applied.
> >Please recheck.
> >
> >  
> >
> That worked, it redirected to the violation page which then produced 
> some very ugly results, I suspect mainly because it had never been 
> targeted...  Thanks again!

Thanks for your report in the first place. The violation pages is
pretty broken, I can admit that :-;. Better than a breakin anyway.

	Racke



More information about the interchange-users mailing list