[ic] Security Problem in Interchange
Barry Treahy, Jr.
Treahy at MMaz.com
Mon Mar 29 11:35:48 EST 2004
Stefan Hornburg wrote:
>On Mon, 29 Mar 2004 08:25:14 -0700
>"Barry Treahy, Jr." <Treahy at mmaz.com> wrote:
>
>
>>Stefan Hornburg wrote:
>>
>>
>>>Dear Interchange community !
>>>
>>>All versions of Interchange (4.8.x, 5.0.x, 5.1.x) contain a security hole
>>>which allows an attacker to expose arbitrary variable contents by using
>>>an URL like http://shop.example.com/cgi-bin/store/__SQLUSER__.
>>>
>>>All Interchange applications using the standard "missing" special page
>>>
>>>
>>>from the demo catalog or a similar one are vulnerable to this attack.
>>
>>
>>>The attacker may learn the SQL access information for your Interchange
>>>application and use this information to read and manipulate sensitive
>>>data.
>>>
>>>Attached are patches for the following Interchange versions:
>>>
>>>4.8.x: Page-4.8.diff
>>>
>>>
>>>
>>>
>>I manually applied this patch to the 4.8.6 system I have running,
>>restarted IC, flushed my browser cache and still seeing the same
>>results... any thoughts?
>>
>>
>
>You can use the attached update patch. It works on my 4.8 system, but
>no guarantees whatsoever ...
>
>Any test reports are welcome.
>
>
>
I tried the patch first, being lazy, and it didn't work (the reject file
is below). I then tried manually applying the patch and still not
proper results... Looking at the page presented, I leave info tags and
I'm at this page:
<!-- Currently at ../special_pages/missing, Country: US -->
Barry
[root at mml2 Vend]# cat Page.pm.rej
***************
*** 60,66 ****
"Security violation -- scripting
character in page name '%s'.",
$name,
);
- $name = 'violation';
1 while $subject =~ s/[\@_]_/_/g;
};
--- 59,65 ----
"Security violation -- scripting
character in page name '%s'.",
$name,
);
+ $name = find_special_page('violation');
1 while $subject =~ s/[\@_]_/_/g;
};
***************
*** 84,100 ****
my($name) = @_;
my($page);
$name =~ m/[\[<]|[\@_]_[A-Z]\w+_[\@_]|\@\@[A-Z]\w+\@\@/
and do {
::logGlobal(
"Security violation -- scripting
character in page name '%s'.",
$name,
);
- $name = 'violation';
return display_special_page($name);
};
- $name = $CGI::values{mv_nextpage} unless $name;
#::logDebug("display_page: $name");
if($Vend::Cfg->{ExtraSecure} and
$Vend::Cfg->{AlwaysSecure}->{$name}
--- 83,100 ----
my($name) = @_;
my($page);
+ $name ||= $CGI::values{mv_nextpage};
+
$name =~ m/[\[<]|[\@_]_[A-Z]\w+_[\@_]|\@\@[A-Z]\w+\@\@/
and do {
::logGlobal(
"Security violation -- scripting
character in page name '%s'.",
$name,
);
+ $name = find_special_page('violation');
return display_special_page($name);
};
#::logDebug("display_page: $name");
if($Vend::Cfg->{ExtraSecure} and
$Vend::Cfg->{AlwaysSecure}->{$name}
[root at mml2 Vend]#
--
Barry Treahy, Jr E-mail: Treahy at MMaz.com
Midwest Microwave Phone: 480/314-1320
Vice President & CIO FAX: 480/661-7028
More information about the interchange-users
mailing list