[ic] Security Problem in Interchange
Eros Shop
info at eros-shop.co.uk
Mon Mar 29 13:40:25 EST 2004
At 19:03 29/03/2004, you wrote:
>Stefan Hornburg wrote:
>
>>On Mon, 29 Mar 2004 09:35:48 -0700
>>"Barry Treahy, Jr." <Treahy at mmaz.com> wrote:
>>
>>
>>
>>>Stefan Hornburg wrote:
>>>
>>>
>>>
>>>>On Mon, 29 Mar 2004 08:25:14 -0700
>>>>"Barry Treahy, Jr." <Treahy at mmaz.com> wrote:
>>>>
>>>>
>>>>
>>>>>Stefan Hornburg wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>Dear Interchange community !
>>>>>>
>>>>>>All versions of Interchange (4.8.x, 5.0.x, 5.1.x) contain a security hole
>>>>>>which allows an attacker to expose arbitrary variable contents by using
>>>>>>an URL like http://shop.example.com/cgi-bin/store/__SQLUSER__.
>>>>>>All Interchange applications using the standard "missing" special page
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>from the demo catalog or a similar one are vulnerable to this attack.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>The attacker may learn the SQL access information for your Interchange
>>>>>>application and use this information to read and manipulate sensitive
>>>>>>data.
>>>>>>Attached are patches for the following Interchange versions:
>>>>>>
>>>>>>4.8.x: Page-4.8.diff
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>I manually applied this patch to the 4.8.6 system I have running,
>>>>>restarted IC, flushed my browser cache and still seeing the same
>>>>>results... any thoughts?
>>>>>
>>>>>
>>>>>
>>>>You can use the attached update patch. It works on my 4.8 system, but
>>>>no guarantees whatsoever ...
>>>>
>>>>Any test reports are welcome.
>>>>
>>>>
>>>>
>>>I tried the patch first, being lazy, and it didn't work (the reject file
>>>is below). I then tried manually applying the patch and still not
>>>proper results... Looking at the page presented, I leave info tags and
>>>I'm at this page:
>>>
>>
>>I attached Page.pm from 4.8.6, with my patch applied.
>>Please recheck.
>>
>>
>That worked, it redirected to the violation page which then produced some
>very ugly results, I suspect mainly because it had never been
>targeted... Thanks again!
>
>Barry
Ok, I didn't like that a hack attempt bounced off to violation.html as it
hints to people that there's something there for them to look in to more
deeply. Instead I've opted for bouncing a user off to missing.html which
implies there's nothing to be found or the URL is invalid/useless.
Basically I'm more keen to discourage people from "poking around" than
telling that they hit something of value. Would this not be a more sensible
policy?
Anyway, for those who are interested in confusing than denying, I changed
the 2 instances of this following line in Page.pm after applying the latest
patch from Racke.
$name = find_special_page('violation');
to:
$name = find_special_page('missing');
Mark
Eros Shop
vwe internet ltd
PO BOX 1067
SLOUGH
SL1 7YA
UK
Shop - http://www.eros-shop.co.uk
EMail - info at eros-shop.co.uk
Tel - 0870 737 3369
Fax - 0870 737 4469
More information about the interchange-users
mailing list