OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: David Kennedy CISSP (david.kennedyACM.ORG)
Date: Fri Mar 23 2001 - 11:01:59 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    [Interchange-announce] Security advisory

    [Interchange-announce] Security advisory
    Jon Jensen jonakopia.com
    Thu, 22 Mar 2001 19:20:21 -0600 (CST)

    A serious security vulnerability has been found in the default
    installation of the Interchange demo stores 'barry', 'basic', and
    'construct' distributed in Interchange versions 4.5.3 through 4.6.3.

    Using a group login that had no password set by default, it is possible to
    log in to the back-end administration area and view and alter products,
    orders, and customer information.

    If you set up a store based on one of those demos and did not remove all
    default user and group accounts, you should immediately make the following
    change:

    In all installed catalog directories, as well as the catalog templates in
    the Interchange software directory, edit the products/access.asc file,
    changing this line:

    :backup<tab><tab>Backup

    to look like this:

    :backup<tab>*<tab>Backup

    As with all other Interchange database source files, the placement of the
    tabs is significant.

    You could also simply delete that line altogether.

    Make sure to restart Interchange so your change takes effect.

    This problem has been fixed in Interchange 4.6.4, to be released shortly.
    As well as blocking password access on that group, there are now also
    tighter checks on login attempts. Group logins, user names with invalid
    characters, and blank passwords will all be rejected without consulting
    the access database.

    Many thanks to Jud Harris <jud-listscopernica.com> for finding and
    reporting this problem on the interchange-users list:

    http://lists.akopia.com/pipermail/interchange-users/2001-March/005939.html

    Jon

    --
    Dave Kennedy CISSP Director of Research Services TruSecure Corp.
    http://www.trusecure.com