[ic] Security Risk In UI...

[John Beima]

G'Day FOlks,

I have found a few little bugs in the UI, which it seems that submitting a bug
report was a waste of time... Maybe from now on all bug reports should be
submitted through the RedHat network to see if they may be resolved... Maybe
requests comming from RedHat themselves will get these fixed... However here is
the first few you need to watch out for:

01) Security Comprimise: When you set the global variable UI_SECURE = 1, the UI
should run completely through SSL. This is done in all but 1 case. When you
bring up a table and select more than one field and click "edit in sequence",
the first item you edit runs through SSL, then you drop out of the protection of
SSL and run the rest of the edits through non-ssl... This IS a security whole
and a bug. It has been reported but has basicly been ignored.

02) The Wizard will only work if you are in the US. The whole
internationalization of it, at this point in time, means nothing. When you get
to the shipping screen, it states that if you are not in the US to leave the
origin zip code blank. If you do this the wizard will not complete, since it
will not accept a blank value. If you put a non-US postal/zip code in, it errors
out saying this is not a US zip code. This means all non-US countries must enter
a bogus US zip code and then go back and fix all the bogus entries the wizard
put in. What it should do is allow us the option to skip this step and enter our
own shipping formulas... RedHat/Akopia did state this was because the UPS/Fedex
modules did not support other countries and when they are updated, then Akopia
would update the wizard. However it is still in the here and now and non-US
countries need to be able to complete the Wizard to.

03) The Signio/VeriSign Payflow Pro module is broken for all new customers...
Since this module ignors the values in the MV_PAYMENT_SERVER variable, all new
Signio/VeriSign Payflow Pro setups will not work. The current module has the
server addresses hard coded ignoring the variable. Well do to VeriSign merging
with Signio the server names have changed. This is why people are having
problems setting this up. RedHat/Akopia is aware of this, and refuses to fix it.
So everyone that is setting up new accounts with Payflow Pro accounts will need
to edit the /usr/local/interchange/lib/Vend/Payment/Signio.pm file and replace
the hard coded server string variables with the correct ones.

04) The results.html page has an error in it's logic. The form that is generated
when a search is done doesn't allow you to place items in your basket if your
SSL and non-SSL domains are different. You will see me posting updated
results.html files to the list every so often... That resolves this bug by
making changes to the form to fix it.

05) The UI now ignors the two variables UI_IMAGE_DIR and UI_IMAGE_DIR_SECURE.
This seems to have to do with the internationalization. No matter what you
define these values as, they get wipped and replaced with
/interchange/(language)... This could be the cause of many people grief with
missing images... I know it caused me pains...

Well I think from now on, I will just post this list here to keep you folks
aware of the discovered bugs. Since it seems that submitting them doesn't always
get them fixed, so you should at least know about them so we can all find work
arounds...



John Beima
jbeima@palb.com, support@alocalagent.com, and support@alocalchurch.com

P.A.L.B. Systems - Phone: (780)451-1086 - Fax: (780)447-4760
11639-122 Street, Edmonton, Alberta, Canada, T5M 0B6

Affordable Web Pages - Phone: (888)932-9990 - Fax: (256)351-7297
2713B Spring Place SW, Decatur, Alabama, United States, 35603