SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Commerce)  >   Interchange (Akopia) Vendors:   Akopia (Red Hat E-Commerce)
Akopia Interchange E-Commerce System Allows Unauthorized Users to View and Alter Products, Orders, and Customer Information
SecurityTracker Alert ID:  1001151
SecurityTracker URL:  http://securitytracker.com/id/1001151
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 26 2001
Impact:   Disclosure of user information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 4.5.3 - 4.6.3
Description:   Akopi's Interchange commerce package contains a security vulnerability that allows unauthorized users to view and alter the commerce system's data, including products, orders, and customer information.

The vendor notes that the default installation of the Interchange demo stores 'barry', 'basic', and 'construct' distributed in Interchange versions 4.5.3 through 4.6.3 are vulnerable. They contain a group login name that has no password set by default, allowing remote users to login to the back-end administration area and view and alter products, orders, and customer information.

Credit for discovery is given to Jud Harris <jud-lists@copernica.com>.

Impact:   An unauthorized user can remotely login to the back-end administration area and view and alter products, orders, and customer information.
Solution:   Upgrade to version 4.6.4, which is to be released shortly. In the meantime, the vendor provides the following advice:

If you set up a store based on one of those demos and did not remove all default user and group accounts, you should immediately make the following change:

In all installed catalog directories, as well as the catalog templates in the Interchange software directory, edit the products/access.asc file, changing this line:

:backup<tab><tab>Backup

to look like this:

:backup<tab>*<tab>Backup

As with all other Interchange database source files, the placement of the tabs is significant.

You could also simply delete that line altogether.

Make sure to restart Interchange so your change takes effect.

Vendor URL:  www.akopia.com (Links to External Site)
Cause:   Authentication error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  FW: Akopia Interchange E-commerce Package Demo Files Vulnerability


[Interchange-announce] Security advisory

[Interchange-announce] Security advisory
Jon Jensen jon@akopia.com
Thu, 22 Mar 2001 19:20:21 -0600 (CST)


A serious security vulnerability has been found in the default
installation of the Interchange demo stores 'barry', 'basic', and
'construct' distributed in Interchange versions 4.5.3 through 4.6.3.

Using a group login that had no password set by default, it is possible to
log in to the back-end administration area and view and alter products,
orders, and customer information.

If you set up a store based on one of those demos and did not remove all
default user and group accounts, you should immediately make the following
change:

In all installed catalog directories, as well as the catalog templates in
the Interchange software directory, edit the products/access.asc file,
changing this line:

:backup<tab><tab>Backup

to look like this:

:backup<tab>*<tab>Backup

As with all other Interchange database source files, the placement of the
tabs is significant.

You could also simply delete that line altogether.

Make sure to restart Interchange so your change takes effect.

This problem has been fixed in Interchange 4.6.4, to be released shortly.
As well as blocking password access on that group, there are now also
tighter checks on login attempts. Group logins, user names with invalid
characters, and blank passwords will all be rejected without consulting
the access database.

Many thanks to Jud Harris <jud-lists@copernica.com> for finding and
reporting this problem on the interchange-users list:

http://lists.akopia.com/pipermail/interchange-users/2001-March/005939.html

Jon

--
Dave Kennedy CISSP Director of Research Services TruSecure Corp.
http://www.trusecure.com

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC