[ic] security

John Beima jbeima@reality.palb.com
Thu, 25 Jan 2001 21:15:39 -0700 (MST)


Oh and the reason the user is able to see another users data, appears to be a 
session issue.

The routines that create the blank user, are the auto-account creation routines 
on the check-out page. If you remove them as well, teh user hopping stops.

It appears if MiniVend is not able to create an account in the UserDB, my guess 
would be there are two orders going through at the same time trying to 
auto-create the same account name, since it is an incrementing number, the 
second one fails, and instead of an error generating, recieves the user info 
from the last logged in client, or the other user creation that it collided 
with.

Either which way, removal of the auto-account creation routines from the 
check-out page, and fixing of the userdb.mysql file should stop all your 
problems dead in the water...

John Beima


Quoting Ron Phipps <rphipps@reliant-solutions.com>:

> Sonny,
> 
> I just had a client report that his users were able to login without
> specifying a username and password.  When they did it would pull up info
> for
> a person by the name of Kelly.  I looked in the db and sure enough the
> username field was blank.  It appears that there is a bug somewher ein
> the
> accoutn creation routine that allows for this happen.  We have not seen
> hwo
> this is done, jsut know that it can be done.  Any ideas?
> 
> Thanks,
> -Ron
> 
> ----- Original Message -----
> From: "Sonny Cook" <sonny@akopia.com>
> To: <interchange-users@minivend.com>
> Sent: Monday, November 27, 2000 11:34 AM
> Subject: Re: [ic] security
> 
> 
> > Although it is not technically a bug, a blank username in the system
> will
> > do bad things.  Any way that exists to create a user with a blank
> username
> > is a bug.  If you discover any ways to do this (within interchange)
> please
> > report it.
> >
> > ---
> > Sonny Cook
> > Akopia
> >
> > "I don't want fifteen dollars."  --Franklin D. Rooselvelt
> >
> > On Sun, 26 Nov 2000, John Beima wrote:
> >
> > > Actually after looking through your databases, I must assure
> everyone
> this is
> > > NOT I repeat NOT a bug...
> > >
> > > You have had 102 people use the auto creation of a user account on
> your
> checkout
> > > page. Which may be part of the source of the problem, but it seems
> to be
> workign
> > > fine.
> > >
> > > There were at LEAST ten invoices sold to an account with " " as the
> username and
> > >  " " as the password. What is just happening is each person down the
> line is
> > > logging on as the last person hences having his data retrieved.
> > >
> > > I am not sure how they are creating an account with a 1 character
> space
> as the
> > > username and password, but someone did. The rest just logged on
> under
> it.
> > >
> > > Maybe we should beg Mike to take a little look into this. Peter is
> running 4.5.6
> > > of Interchange...
> > >
> > >
> > > John Beima
> > >
> > >
> > > Quoting peterferguson <peterferguson@tinyworld.co.uk>:
> > >
> > > > Has anyone experienced seeing others user details on checkout?
> > > >
> > > > Please contact me as to how this problem can be resolve.
> > > >
> > > > Thanks,
> > > >
> > > > Pete
> > > >
> > >
> > >
> > > John Beima
> > > jbeima@palb.com
> > >
> > > P.A.L.B. Systems - Phone: (780)451-1086 - Fax: (780)447-4760
> > > 11639-122 Street, Edmonton, Alberta, Canada, T5M 0B6
> > >
> > > _______________________________________________
> > > Interchange-users mailing list
> > > Interchange-users@www.minivend.com
> > > http://www.minivend.com/mailman/listinfo/interchange-users
> > >
> >
> >
> > _______________________________________________
> > Interchange-users mailing list
> > Interchange-users@www.minivend.com
> > http://www.minivend.com/mailman/listinfo/interchange-users
> 
> 
> _______________________________________________
> Interchange-users mailing list
> Interchange-users@lists.akopia.com
> http://lists.akopia.com/mailman/listinfo/interchange-users
> 



John Beima
jbeima@palb.com

P.A.L.B. Systems - Phone: (780)451-1086 - Fax: (780)447-4760
11639-122 Street, Edmonton, Alberta, Canada, T5M 0B6