[ic] Security Problem in Interchange

Mon Mar 29 13:40:25 EST 2004

At 19:03 29/03/2004, you wrote:
>Stefan Hornburg wrote:
>
>>On Mon, 29 Mar 2004 09:35:48 -0700
>>"Barry Treahy, Jr." <Treahy at mmaz.com> wrote:
>>
>>
>>
>>>Stefan Hornburg wrote:
>>>
>>>
>>>
>>>>On Mon, 29 Mar 2004 08:25:14 -0700
>>>>"Barry Treahy, Jr." <Treahy at mmaz.com> wrote:
>>>>
>>>>
>>>>
>>>>>Stefan Hornburg wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>Dear Interchange community !
>>>>>>
>>>>>>All versions of Interchange (4.8.x, 5.0.x, 5.1.x) contain a security hole
>>>>>>which allows an attacker to expose arbitrary variable contents by using
>>>>>>an URL like http://shop.example.com/cgi-bin/store/__SQLUSER__.
>>>>>>All Interchange applications using the standard "missing" special page
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>from the demo catalog or a similar one are vulnerable to this attack.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>The attacker may learn the SQL access information for your Interchange
>>>>>>application and use this information to read and manipulate sensitive
>>>>>>data.
>>>>>>Attached are patches for the following Interchange versions:
>>>>>>
>>>>>>4.8.x:     Page-4.8.diff
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>I manually applied this patch to the 4.8.6 system I have running, 
>>>>>restarted IC, flushed my browser cache and still seeing the same 
>>>>>results...  any thoughts?
>>>>>
>>>>>
>>>>>
>>>>You can use the attached update patch. It works on my 4.8 system, but
>>>>no guarantees whatsoever ...
>>>>
>>>>Any test reports are welcome.
>>>>
>>>>
>>>>
>>>I tried the patch first, being lazy, and it didn't work (the reject file 
>>>is below).  I then tried manually applying the patch and still not 
>>>proper results... Looking at the page presented, I leave info tags and 
>>>I'm at this page:
>>>
>>
>>I attached Page.pm from 4.8.6, with my patch applied.
>>Please recheck.
>>
>>
>That worked, it redirected to the violation page which then produced some 
>very ugly results, I suspect mainly because it had never been 
>targeted...  Thanks again!
>
>Barry

Ok, I didn't like that a hack attempt bounced off to violation.html as it 
hints to people that there's something there for them to look in to more 
deeply. Instead I've opted for bouncing a user off to missing.html which 
implies there's nothing to be found or the URL is invalid/useless.

Basically I'm more keen to discourage people from "poking around" than 
telling that they hit something of value. Would this not be a more sensible 
policy?

Anyway, for those who are interested in confusing than denying, I changed 
the 2 instances of this following line in Page.pm after applying the latest 
patch from Racke.

$name = find_special_page('violation');

to:

$name = find_special_page('missing');

Mark

Eros Shop
vwe internet ltd
PO BOX 1067
SLOUGH
SL1 7YA
UK

Shop - http://www.eros-shop.co.uk
EMail - info at eros-shop.co.uk
Tel - 0870 737 3369
Fax - 0870 737 4469