[ic] Security hole in IC admin

Jon Jensen jon@akopia.com
Mon, 16 Apr 2001 17:34:58 -0500 (CDT)

Bad news.

Serious security holes have been found in two pages of the Interchange web
administration back-end, versions 4.5.3 through 4.6.4. They are not
normally directly accessed by the administrator and escaped notice until
Merlyn J. Pease <peasemj@bellatlantic.net> reported finding the problem.

The page 'do_view' allows unauthenticated reading of files in the catalog
directory, most notably any of the plain-text sources to database tables.

The page 'page_save' allows an unauthenticated user to overwrite files in
the catalog pages/ directory.

The holes have been plugged in CVS, both stable and development, and in
Interchange 4.6.5 which will be released shortly. You can use the patches
below to fix any production Interchange installations you're responsible
for. Please spread the word to any other Interchange administrators who
may not be monitoring this mailing list.

Thanks to Merlyn for finding this and letting us know.


Index: do_view.html
RCS file: /anon_cvs/repository/interchange/dist/lib/UI/pages/admin/do_view.html,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- do_view.html        2000/08/05 13:55:37     1.2
+++ do_view.html        2001/04/14 22:28:29     1.3
@@ -1,6 +1,10 @@
 [seti total_junk][perl]
        delete $Scratch->{violation};
        $_ = delete $Session->{arg};
+       $Scratch->{violation} = errmsg('Must be logged in.')
+               unless $Session->{logged_in};
+       $Scratch->{violation} = errmsg('Must be logged in as admin.')
+               unless $Session->{admin};
        $Scratch->{violation} = 'No .. allowed in file name.'
                if m{\.\./};
        $Scratch->{violation} = 'No | allowed.'

Index: page_save.html
RCS file: /anon_cvs/repository/interchange/dist/lib/UI/pages/admin/page_save.html,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- page_save.html      2000/12/07 22:53:23     1.6
+++ page_save.html      2001/04/14 22:28:29     1.7
@@ -1,3 +1,11 @@
+[if !session admin]
+[or !session logged_in]
+       [set violation]Must be logged in as admin.[/set]
+       [bounce page="__UI_BASE__/error"]
        my @filters = grep /^ui_filter:/, keys %$CGI;
        foreach my $key (@filters) {