SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Commerce)  >   Interchange Vendors:   Debian
(Debian Issues Fix) Interchange Commerce Server Discloses Files on the System to Remote Users
SecurityTracker Alert ID:  1005033
SecurityTracker URL:  http://securitytracker.com/id/1005033
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 13 2002
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in Red Hat's Interchange commerce system. A remote user can view arbitrary files on the system.

It is reported that a remote user can supply a GET request containing '../' directory traversal characters to view any file on the system.

The vendor has reportedly been notified.

Impact:   A remote user can view arbitrary files on the system.
Solution:   Debian has released a fix in version 4.8.3.20020306-1.woody.1 for the current stable distribution (woody) and in version 4.8.6-1 for the unstable distribution (sid). The old stable distribution (potato) is not affected, because it doesn't ship the Interchange system.

Debian reports that the previous version of the package is vulnerable when Interchange runs in "INET mode" (internet domain socket). This is reportedly not the default setting in Debian's distribution.

Debian GNU/Linux 3.0 alias woody:

Source archives:

http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1.dsc
Size/MD5 checksum: 883 ffa49ff2144a7bd4320eb9c2198d24b3
http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1.diff.gz
Size/MD5 checksum: 528 60c7cb2c1798ae2f61365e130d1772d3
http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306.orig.tar.gz
Size/MD5 checksum: 1858749 660c7e65732a052a81d2ae6e4c6ed2b5

Architecture independent components:

http://security.debian.org/pool/updates/main/i/interchange/interchange-cat-foundation_4.8.3.20020306-1.woody.1_all.deb
Size/MD5 checksum: 635062 6ebceb949aad1dc23e364dd297125c8f
http://security.debian.org/pool/updates/main/i/interchange/interchange-ui_4.8.3.20020306-1.woody.1_all.deb
Size/MD5 checksum: 432068 3f9574521ced0bc39c40793c74841947

Alpha architecture:

http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_alpha.deb
Size/MD5 checksum: 856324 a903c5f415978bda83ebc64e533d6513
http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_alpha.deb
Size/MD5 checksum: 13812 21dcdb083b2d93e8b72cb06e3b9b3d77

ARM architecture:

http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_arm.deb
Size/MD5 checksum: 854980 80a5246531dc085d5ef629dd1337271c
http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_arm.deb
Size/MD5 checksum: 13198 63fe3b689099793c61b2bbb870c101e3

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_i386.deb
Size/MD5 checksum: 852744 7a40058ecc9119c740826b3dbc9660d0
http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_i386.deb
Size/MD5 checksum: 13156 234c7d614aa28de64d5d33dcb49e654d

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_ia64.deb
Size/MD5 checksum: 858420 6f16f350d5d162b2bbac98bb4e7dc857
http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_ia64.deb
Size/MD5 checksum: 15670 fcfacf2758ac97a9ee6390bf20b9f64b

HP Precision architecture:

http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_hppa.deb
Size/MD5 checksum: 856104 4d7932a5d476acf49eda3ca2ecc4bf89
http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_hppa.deb
Size/MD5 checksum: 13920 a4593d918b5c9c87434544ed7d0af579

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_m68k.deb
Size/MD5 checksum: 855146 de6a211e1b615dded617c9ff9877b897
http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_m68k.deb
Size/MD5 checksum: 13168 fda641d6355b9141fc2afde7b87c95c0

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_mips.deb
Size/MD5 checksum: 855866 75c9d826ef0c1352b3a035d22d0867cf
http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_mips.deb
Size/MD5 checksum: 13236 4abca0332cc562ee5a624c8eb15cfa5f

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_mipsel.deb
Size/MD5 checksum: 855776 3d9df00fd5fb6bee01222e9e263edc66
http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_mipsel.deb
Size/MD5 checksum: 13238 59556c80240d01d47bfba36b20e5c34b

PowerPC architecture:

http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_powerpc.deb
Size/MD5 checksum: 855224 2b0bb6d175fbe6194ef1b05c14069fcc
http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_powerpc.deb
Size/MD5 checksum: 13140 ff191322a2afd7b6bae946137f1835a8

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_s390.deb
Size/MD5 checksum: 855636 3e35f8611357c023520871f38782fc94
http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_s390.deb
Size/MD5 checksum: 13440 22c5fdd8fe658f59db6ac859c6e8ff55

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_sparc.deb
Size/MD5 checksum: 858130 7dafc5291988bf31737058939f381ab3
http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_sparc.deb
Size/MD5 checksum: 13274 6342b55b347c6bbd330f9facd1fd8122

Vendor URL:  www.redhat.com/software/interchange/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Debian)
Underlying OS Comments:  3.0

Message History:   This archive entry is a follow-up to the message listed below.
Aug 13 2002 Red Hat Interchange Commerce Server Discloses Files on the System to Remote Users



 Source Message Contents

Subject:  [SECURITY] [DSA 150-1] New interchange packages fix illegal file exposition


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 150-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
August 13th, 2002   
- --------------------------------------------------------------------------

Package        : interchange
Vulnerability  : illegal file exposition
Problem-Type   : remote
Debian-specific: no

A problem has been discovered in Interchange, an e-commerce and
general HTTP database display system, which can lead to an attacker
being able to read any file to which the user of the Interchange
daemon has sufficient permissions, when Interchange runs in "INET
mode" (internet domain socket).  This is not the default setting in
Debian packages, but configurable with Debconf and via configuration
file.  We also believe that this bug cannot exploited on a regular
Debian system.

This problem has been fixed by the package maintainer in version
4.8.3.20020306-1.woody.1 for the current stable distribution (woody)
and in version 4.8.6-1 for the unstable distribution (sid).  The old
stable distribution (potato) is not affected, since it doesn't ship
the Interchange system.

We recommend that you upgrade your interchange packages.

wget url
	will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1.dsc
      Size/MD5 checksum:      883 ffa49ff2144a7bd4320eb9c2198d24b3
    http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1.diff.gz
      Size/MD5 checksum:      528 60c7cb2c1798ae2f61365e130d1772d3
    http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306.orig.tar.gz
      Size/MD5 checksum:  1858749 660c7e65732a052a81d2ae6e4c6ed2b5

  Architecture independent components:

    http://security.debian.org/pool/updates/main/i/interchange/interchange-cat-foundation_4.8.3.20020306-1.woody.1_all.deb
      Size/MD5 checksum:   635062 6ebceb949aad1dc23e364dd297125c8f
    http://security.debian.org/pool/updates/main/i/interchange/interchange-ui_4.8.3.20020306-1.woody.1_all.deb
      Size/MD5 checksum:   432068 3f9574521ced0bc39c40793c74841947

  Alpha architecture:

    http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_alpha.deb
      Size/MD5 checksum:   856324 a903c5f415978bda83ebc64e533d6513
    http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_alpha.deb
      Size/MD5 checksum:    13812 21dcdb083b2d93e8b72cb06e3b9b3d77

  ARM architecture:

    http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_arm.deb
      Size/MD5 checksum:   854980 80a5246531dc085d5ef629dd1337271c
    http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_arm.deb
      Size/MD5 checksum:    13198 63fe3b689099793c61b2bbb870c101e3

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_i386.deb
      Size/MD5 checksum:   852744 7a40058ecc9119c740826b3dbc9660d0
    http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_i386.deb
      Size/MD5 checksum:    13156 234c7d614aa28de64d5d33dcb49e654d

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_ia64.deb
      Size/MD5 checksum:   858420 6f16f350d5d162b2bbac98bb4e7dc857
    http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_ia64.deb
      Size/MD5 checksum:    15670 fcfacf2758ac97a9ee6390bf20b9f64b

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_hppa.deb
      Size/MD5 checksum:   856104 4d7932a5d476acf49eda3ca2ecc4bf89
    http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_hppa.deb
      Size/MD5 checksum:    13920 a4593d918b5c9c87434544ed7d0af579

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_m68k.deb
      Size/MD5 checksum:   855146 de6a211e1b615dded617c9ff9877b897
    http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_m68k.deb
      Size/MD5 checksum:    13168 fda641d6355b9141fc2afde7b87c95c0

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_mips.deb
      Size/MD5 checksum:   855866 75c9d826ef0c1352b3a035d22d0867cf
    http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_mips.deb
      Size/MD5 checksum:    13236 4abca0332cc562ee5a624c8eb15cfa5f

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_mipsel.deb
      Size/MD5 checksum:   855776 3d9df00fd5fb6bee01222e9e263edc66
    http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_mipsel.deb
      Size/MD5 checksum:    13238 59556c80240d01d47bfba36b20e5c34b

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_powerpc.deb
      Size/MD5 checksum:   855224 2b0bb6d175fbe6194ef1b05c14069fcc
    http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_powerpc.deb
      Size/MD5 checksum:    13140 ff191322a2afd7b6bae946137f1835a8

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_s390.deb
      Size/MD5 checksum:   855636 3e35f8611357c023520871f38782fc94
    http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_s390.deb
      Size/MD5 checksum:    13440 22c5fdd8fe658f59db6ac859c6e8ff55

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_sparc.deb
      Size/MD5 checksum:   858130 7dafc5291988bf31737058939f381ab3
    http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_sparc.deb
      Size/MD5 checksum:    13274 6342b55b347c6bbd330f9facd1fd8122


  These files will probably be moved into the stable distribution on
  its next revision.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9WTSbW5ql+IAeqTIRAqUWAKCWlv4aOMg/SRO9oUJKp3kmh/qdDwCgloSw
OPfaqtVpH26zEZ+qhapM1VA=
=ASw7
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to debian-security-announce-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC