[ic] Security Problem in Interchange

Barry Treahy, Jr. Treahy at MMaz.com
Mon Mar 29 11:35:48 EST 2004


Stefan Hornburg wrote:

>On Mon, 29 Mar 2004 08:25:14 -0700
>"Barry Treahy, Jr." <Treahy at mmaz.com> wrote:
>  
>
>>Stefan Hornburg wrote:
>>    
>>
>>>Dear Interchange community !
>>>
>>>All versions of Interchange (4.8.x, 5.0.x, 5.1.x) contain a security hole
>>>which allows an attacker to expose arbitrary variable contents by using
>>>an URL like http://shop.example.com/cgi-bin/store/__SQLUSER__. 
>>>
>>>All Interchange applications using the standard "missing" special page
>>>      
>>>
>>>from the demo catalog or a similar one are vulnerable to this attack.
>>    
>>
>>>The attacker may learn the SQL access information for your Interchange
>>>application and use this information to read and manipulate sensitive
>>>data. 
>>>
>>>Attached are patches for the following Interchange versions:
>>>
>>>4.8.x:     Page-4.8.diff
>>> 
>>>
>>>      
>>>
>>I manually applied this patch to the 4.8.6 system I have running, 
>>restarted IC, flushed my browser cache and still seeing the same 
>>results...  any thoughts?
>>    
>>
>
>You can use the attached update patch. It works on my 4.8 system, but
>no guarantees whatsoever ...
>
>Any test reports are welcome.
>
>  
>
I tried the patch first, being lazy, and it didn't work (the reject file 
is below).  I then tried manually applying the patch and still not 
proper results... Looking at the page presented, I leave info tags and 
I'm at this page:

<!-- Currently at ../special_pages/missing, Country: US -->

Barry




[root at mml2 Vend]# cat  Page.pm.rej
***************
*** 60,66 ****
                                        "Security violation -- scripting 
character in page name '%s'.",
                                        $name,
                                );
-                       $name = 'violation';
                        1 while $subject =~ s/[\@_]_/_/g;
                };
 
--- 59,65 ----
                                        "Security violation -- scripting 
character in page name '%s'.",
                                        $name,
                                );
+                       $name = find_special_page('violation');
                        1 while $subject =~ s/[\@_]_/_/g;
                };
 
***************
*** 84,100 ****
        my($name) = @_;
        my($page);
 
        $name =~ m/[\[<]|[\@_]_[A-Z]\w+_[\@_]|\@\@[A-Z]\w+\@\@/
                and do {
                        ::logGlobal(
                                        "Security violation -- scripting 
character in page name '%s'.",
                                        $name,
                                );
-                       $name = 'violation';
                        return display_special_page($name);
                };
 
-       $name = $CGI::values{mv_nextpage} unless $name;
  #::logDebug("display_page: $name");
        if($Vend::Cfg->{ExtraSecure} and
                $Vend::Cfg->{AlwaysSecure}->{$name}
--- 83,100 ----
        my($name) = @_;
        my($page);
 
+       $name ||= $CGI::values{mv_nextpage};
+
        $name =~ m/[\[<]|[\@_]_[A-Z]\w+_[\@_]|\@\@[A-Z]\w+\@\@/
                and do {
                        ::logGlobal(
                                        "Security violation -- scripting 
character in page name '%s'.",
                                        $name,
                                );
+                       $name = find_special_page('violation');
                        return display_special_page($name);
                };
 
  #::logDebug("display_page: $name");
        if($Vend::Cfg->{ExtraSecure} and
                $Vend::Cfg->{AlwaysSecure}->{$name}
[root at mml2 Vend]#

-- 

Barry Treahy, Jr                       E-mail: Treahy at MMaz.com
Midwest Microwave                          Phone: 480/314-1320
Vice President & CIO                         FAX: 480/661-7028
                       




More information about the interchange-users mailing list