[ic] security

Ron Phipps rphipps@reliant-solutions.com
Thu, 25 Jan 2001 14:09:22 -0800


Sonny,

I just had a client report that his users were able to login without
specifying a username and password.  When they did it would pull up info for
a person by the name of Kelly.  I looked in the db and sure enough the
username field was blank.  It appears that there is a bug somewher ein the
accoutn creation routine that allows for this happen.  We have not seen hwo
this is done, jsut know that it can be done.  Any ideas?

Thanks,
-Ron

----- Original Message -----
From: "Sonny Cook" <sonny@akopia.com>
To: <interchange-users@minivend.com>
Sent: Monday, November 27, 2000 11:34 AM
Subject: Re: [ic] security


> Although it is not technically a bug, a blank username in the system will
> do bad things.  Any way that exists to create a user with a blank username
> is a bug.  If you discover any ways to do this (within interchange) please
> report it.
>
> ---
> Sonny Cook
> Akopia
>
> "I don't want fifteen dollars."  --Franklin D. Rooselvelt
>
> On Sun, 26 Nov 2000, John Beima wrote:
>
> > Actually after looking through your databases, I must assure everyone
this is
> > NOT I repeat NOT a bug...
> >
> > You have had 102 people use the auto creation of a user account on your
checkout
> > page. Which may be part of the source of the problem, but it seems to be
workign
> > fine.
> >
> > There were at LEAST ten invoices sold to an account with " " as the
username and
> >  " " as the password. What is just happening is each person down the
line is
> > logging on as the last person hences having his data retrieved.
> >
> > I am not sure how they are creating an account with a 1 character space
as the
> > username and password, but someone did. The rest just logged on under
it.
> >
> > Maybe we should beg Mike to take a little look into this. Peter is
running 4.5.6
> > of Interchange...
> >
> >
> > John Beima
> >
> >
> > Quoting peterferguson <peterferguson@tinyworld.co.uk>:
> >
> > > Has anyone experienced seeing others user details on checkout?
> > >
> > > Please contact me as to how this problem can be resolve.
> > >
> > > Thanks,
> > >
> > > Pete
> > >
> >
> >
> > John Beima
> > jbeima@palb.com
> >
> > P.A.L.B. Systems - Phone: (780)451-1086 - Fax: (780)447-4760
> > 11639-122 Street, Edmonton, Alberta, Canada, T5M 0B6
> >
> > _______________________________________________
> > Interchange-users mailing list
> > Interchange-users@www.minivend.com
> > http://www.minivend.com/mailman/listinfo/interchange-users
> >
>
>
> _______________________________________________
> Interchange-users mailing list
> Interchange-users@www.minivend.com
> http://www.minivend.com/mailman/listinfo/interchange-users