SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Commerce)  >   Interchange Vendors:   icdevgroup.org
Interchange Commerce System Discloses SQL Access Information to Remote Users
SecurityTracker Alert ID:  1009645
SecurityTracker URL:  http://securitytracker.com/id/1009645
CVE Reference:   CVE-2004-0374   (Links to External Site)
Date:  Apr 2 2004
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): prior to 5.0.1
Description:   A vulnerability was reported in Interchange. A remote user can view SQL access information.

The vendor reported that a remote user can view arbitrary variable contents using the following type of URL:

http://[target]/cgi-bin/store/__SQLUSER__.

A remote user can view SQL access information and then use that information to query the database and view potentially sensitive information.

All applications that use the standard "missing" special page from the demo catalog or a similar pages are vulnerable, the report said.

Impact:   A remote user can view SQL database access information.
Solution:   The vendor has released a fixed version (5.0.1), available at:

http://www.icdevgroup.org/i/dev/download.html

Also, some patches are available at:

http://www.icdevgroup.org/pipermail/interchange-announce/2004/000044.html

Vendor URL:  www.icdevgroup.org/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Apr 2 2004 (Debian Issues Fix) Interchange Commerce System Discloses SQL Access Information to Remote Users
Debian has released a fix.



 Source Message Contents

Subject:  http://ftp.icdevgroup.org/interchange/5.0/WHATSNEW


http://ftp.icdevgroup.org/interchange/5.0/WHATSNEW

 > Interchange 5.0.1 released 2004-03-29.
 >
 > Security
 > --------
 >
 > * Plug a security hole which allows an attacker to expose arbitrary variable
 >   contents by using an URL like
 >   http://shop.example.com/cgi-bin/store/__SQLUSER__.
 >
 >   All Interchange applications using the standard "missing" special page
 >   from the demo catalog or a similar one are vulnerable to this attack.
 >   The attacker may learn the SQL access information for your Interchange
 >   application and use this information to read and manipulate sensitive
 >   data.
 >
 > * Disallow [ and < in page names when setting MV_PAGE and MV_PREV_PAGE
 >   variables.
 >
 > * Prevent login information from getting re-saved on a session cancel.
 >
 > * Define a set of CGI keys that we don't want to save to disk, as
 >   @Global::HideCGI.
 >
 > * Don't show sensitive (i.e. @Global::HideCGI) CGI variables in a dump.
 >   This allows saving a session to disk for diagnositic purposes in case
 >   of order failure.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC