[ic] Security Problem in Interchange

Eros Shop info at eros-shop.co.uk
Mon Mar 29 11:12:12 EST 2004


At 16:45 29/03/2004, you wrote:
>On Mon, 29 Mar 2004 08:25:14 -0700
>"Barry Treahy, Jr." <Treahy at mmaz.com> wrote:
>
> > Stefan Hornburg wrote:
> >
> > >Dear Interchange community !
> > >
> > >All versions of Interchange (4.8.x, 5.0.x, 5.1.x) contain a security hole
> > >which allows an attacker to expose arbitrary variable contents by using
> > >an URL like http://shop.example.com/cgi-bin/store/__SQLUSER__.
> > >
> > >All Interchange applications using the standard "missing" special page
> > >from the demo catalog or a similar one are vulnerable to this attack.
> > >The attacker may learn the SQL access information for your Interchange
> > >application and use this information to read and manipulate sensitive
> > >data.
> > >
> > >Attached are patches for the following Interchange versions:
> > >
> > >4.8.x:     Page-4.8.diff
> > >
> > >
> > I manually applied this patch to the 4.8.6 system I have running,
> > restarted IC, flushed my browser cache and still seeing the same
> > results...  any thoughts?
>
>I'll investigate this. Do you see an error message in your global
>log file ?
>
>         Racke

Is this patch supposed to deal with all __XXXXX__ catalog literals?

I'm not using SQL atm, but I've still used the patch as I was concerned 
about other literals being exposed... and they were :(

So, I've patched IC 4.8.6 with the Page-4.8.diff file and I'm still able to 
use variants of the above URL substituting __SQLUSER__ 
with  __PGP_KEY__   and  __ORDERS_TO and they reveal their contents quite 
happily on the error page. eg.


Sorry, the page ABC95E31 was not found

The requested page (ABC95E31) was not found. You can 
<https://secure.vwe.net/cgi-bin/eros/index.html>return to browsing our 
catalog, if you wish.

Nothing appears in any of the error logs, so I'm not sure what's going on 
here or if this patch makes any difference at all?

Many thanks

Mark



Eros Shop
vwe internet ltd
PO BOX 1067
SLOUGH
SL1 7YA
UK

Shop - http://www.eros-shop.co.uk
EMail - info at eros-shop.co.uk
Tel - 0870 737 3369
Fax - 0870 737 4469




More information about the interchange-users mailing list