racke at linuxia
Mar 29, 2004, 7:42 AM
Post #1 of 1
(1398 views)
Permalink
|
|
Security Problem in Interchange
|
|
Dear Interchange community !
All versions of Interchange (4.8.x, 5.0.x, 5.1.x) contain a security hole
which allows an attacker to expose arbitrary variable contents by using
an URL like http://shop.example.com/cgi-bin/store/__SQLUSER__.
All Interchange applications using the standard "missing" special page
from the demo catalog or a similar one are vulnerable to this attack.
The attacker may learn the SQL access information for your Interchange
application and use this information to read and manipulate sensitive
data.
Attached are patches for the following Interchange versions:
4.8.x: Page-4.8.diff
5.0.x: Page-5.0.diff
5.1.x/CVS: Page-5.1.diff
To apply the patch for your Interchange version, enter the
directory Vend resp. lib/Vend below your Interchange installation
directory and run the following command:
patch -p3 < /path/to/Page.diff
Please replace the file name of the patch file with the
appropriate location.
Tarballs and Debian packages for Interchange 4.8.8 and Interchange 5.0.1
will be released shortly.
Racke
--
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team
-------------- next part --------------
diff -u -r2.0.2.5 -r2.0.2.6
--- interchange-4.8.7/lib/Vend/Page.pm 26 Nov 2002 03:21:10 -0000 2.0.2.5
+++ interchange-4.8.8/lib/Vend/Page.pm 28 Mar 2004 20:34:35 -0000 2.0.2.6
@@ -54,13 +54,14 @@
my($name, $subject) = @_;
my($page);
- $name =~ m/[\[<]+/g
+ $name =~ m/[\[<]|[\@_]_[A-Z]\w+_[\@_]|\@\@[A-Z]\w+\@\@/
and do {
::logGlobal(
"Security violation -- scripting character in page name '%s'.",
$name,
);
$name = 'violation';
+ 1 while $subject =~ s/[\@_]_/_/g;
};
$subject = $subject || 'unspecified error';
@@ -83,7 +84,7 @@
my($name) = @_;
my($page);
- $name =~ m/[\[<]+/g
+ $name =~ m/[\[<]|[\@_]_[A-Z]\w+_[\@_]|\@\@[A-Z]\w+\@\@/
and do {
::logGlobal(
"Security violation -- scripting character in page name '%s'.",
-------------- next part --------------
diff -u -r2.16 -r2.17
--- interchange-5.0.0/lib/Vend/Page.pm 27 Dec 2003 01:08:33 -0000 2.16
+++ interchange-5.0.1/lib/Vend/Page.pm 28 Mar 2004 20:29:39 -0000 2.17
@@ -56,16 +56,17 @@
undef $Vend::write_redirect;
- $name =~ m/[\[<]+/g
+ $name =~ m/[\[<]|[\@_]_[A-Z]\w+_[\@_]|\@\@[A-Z]\w+\@\@/
and do {
::logGlobal(
"Security violation -- scripting character in page name '%s'.",
$name,
);
- $name = 'violation';
+ $name = find_special_page('violation');
+ 1 while $subject =~ s/[\@_]_/_/g;
};
- $subject = $subject || 'unspecified error';
+ $subject ||= 'unspecified error';
my $noname = $name;
$noname =~ s:^\.\./::;
@@ -88,17 +89,17 @@
my($name, $opt) = @_;
my($page);
- $name =~ m/[\[<]+/g
+ $name ||= $CGI::values{mv_nextpage};
+
+ $name =~ m/[\[<]|[\@_]_[A-Z]\w+_[\@_]|\@\@[A-Z]\w+\@\@/
and do {
::logGlobal(
"Security violation -- scripting character in page name '%s'.",
$name,
);
- $name = 'violation';
+ $name = find_special_page('violation');
return display_special_page($name);
};
-
- $name = $CGI::values{mv_nextpage} unless $name;
if($Vend::Cfg->{ExtraSecure} and
$Vend::Cfg->{AlwaysSecure}->{$name}
-------------- next part --------------
diff -u -r2.16 -r2.17
--- interchange-5.1.0-vanilla/lib/Vend/Page.pm 27 Dec 2003 01:08:33 -0000 2.16
+++ interchange-5.1.0/lib/Vend/Page.pm 28 Mar 2004 20:29:39 -0000 2.17
@@ -56,13 +56,14 @@
undef $Vend::write_redirect;
- $name =~ m/[\[<]/
+ $name =~ m/[\[<]|[\@_]_[A-Z]\w+_[\@_]|\@\@[A-Z]\w+\@\@/
and do {
::logGlobal(
"Security violation -- scripting character in page name '%s'.",
$name,
);
- $name = 'violation';
+ $name = find_special_page('violation');
+ 1 while $subject =~ s/[\@_]_/_/g;
};
$subject ||= 'unspecified error';
@@ -90,13 +91,13 @@
$name ||= $CGI::values{mv_nextpage};
- $name =~ m/[\[<]/
+ $name =~ m/[\[<]|[\@_]_[A-Z]\w+_[\@_]|\@\@[A-Z]\w+\@\@/
and do {
::logGlobal(
"Security violation -- scripting character in page name '%s'.",
$name,
);
- $name = 'violation';
+ $name = find_special_page('violation');
return display_special_page($name);
};
|
