Mailing List Archive: Interchange: announce

Security hole in IC admin

Index | Next | Previous | View Threaded

jon at akopia

Apr 16, 2001, 3:34 PM

Post #1 of 2 (902 views)
Permalink

Security hole in IC admin

Bad news.

Serious security holes have been found in two pages of the Interchange web
administration back-end, versions 4.5.3 through 4.6.4. They are not
normally directly accessed by the administrator and escaped notice until
Merlyn J. Pease <peasemj [at] bellatlantic> reported finding the problem.

The page 'do_view' allows unauthenticated reading of files in the catalog
directory, most notably any of the plain-text sources to database tables.

The page 'page_save' allows an unauthenticated user to overwrite files in
the catalog pages/ directory.

The holes have been plugged in CVS, both stable and development, and in
Interchange 4.6.5 which will be released shortly. You can use the patches
below to fix any production Interchange installations you're responsible
for. Please spread the word to any other Interchange administrators who
may not be monitoring this mailing list.

Thanks to Merlyn for finding this and letting us know.

Jon

Index: do_view.html
===================================================================
RCS file: /anon_cvs/repository/interchange/dist/lib/UI/pages/admin/do_view.html,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- do_view.html 2000/08/05 13:55:37 1.2
+++ do_view.html 2001/04/14 22:28:29 1.3
@@ -1,6 +1,10 @@
[seti total_junk][perl]
delete $Scratch->{violation};
$_ = delete $Session->{arg};
+ $Scratch->{violation} = errmsg('Must be logged in.')
+ unless $Session->{logged_in};
+ $Scratch->{violation} = errmsg('Must be logged in as admin.')
+ unless $Session->{admin};
$Scratch->{violation} = 'No .. allowed in file name.'
if m{\.\./};
$Scratch->{violation} = 'No | allowed.'

Index: page_save.html
===================================================================
RCS file: /anon_cvs/repository/interchange/dist/lib/UI/pages/admin/page_save.html,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- page_save.html 2000/12/07 22:53:23 1.6
+++ page_save.html 2001/04/14 22:28:29 1.7
@@ -1,3 +1,11 @@
+[if !session admin]
+[or !session logged_in]
+[then]
+ [set violation]Must be logged in as admin.[/set]
+ [bounce page="__UI_BASE__/error"]
+[/then]
+[/if]
+
[perl]
my @filters = grep /^ui_filter:/, keys %$CGI;
foreach my $key (@filters) {

<end>

jon at akopia

Apr 16, 2001, 4:26 PM

Post #2 of 2 (833 views)
Permalink

Re: Security hole in IC admin [In reply to]

Oops. I made a mistake in one of the patches. Using the localization
function errmsg() in do_view works in 4.7.x, but it 4.6.x it generates an
error. (The function was not imported into the current package namespace.)
This error still keeps the file from being displayed, but it's not ideal.

A better patch follows. Sorry about that.

Jon

Index: do_view.html
===================================================================
RCS file: /anon_cvs/repository/interchange/dist/lib/UI/pages/admin/do_view.html,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- do_view.html 2000/08/05 13:55:37 1.2
+++ do_view.html 2001/04/14 22:28:29 1.3
@@ -1,6 +1,10 @@
[seti total_junk][perl]
delete $Scratch->{violation};
$_ = delete $Session->{arg};
+ $Scratch->{violation} = 'Must be logged in.'
+ unless $Session->{logged_in};
+ $Scratch->{violation} = 'Must be logged in as admin.'
+ unless $Session->{admin};
$Scratch->{violation} = 'No .. allowed in file name.'
if m{\.\./};
$Scratch->{violation} = 'No | allowed.'

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads