Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Fwd: [Interchange-announce] Security advisory

  • From: Matt Clauson
  • Date: Thu Mar 22 20:39:51 2001

Apologies if this is off-topic -- however, I know Interchange is a popular 
vending system, and thought it would be in the best interests of anyone here 
to proactively fix their systems, lest customer data get leaked, ala 
Egghead.com.

--mec

----------  Forwarded Message  ----------
Subject: [Interchange-announce] Security advisory
Date: Thu, 22 Mar 2001 19:20:21 -0600 (CST)
From: Jon Jensen <jon@akopia.com>
To: interchange-announce@lists.akopia.com, interchange-users@lists.akopia.com


A serious security vulnerability has been found in the default
installation of the Interchange demo stores 'barry', 'basic', and
'construct' distributed in Interchange versions 4.5.3 through 4.6.3.

Using a group login that had no password set by default, it is possible to
log in to the back-end administration area and view and alter products,
orders, and customer information.

If you set up a store based on one of those demos and did not remove all
default user and group accounts, you should immediately make the following
change:

In all installed catalog directories, as well as the catalog templates in
the Interchange software directory, edit the products/access.asc file,

changing this line:
:backup<tab><tab>Backup

to look like this:
:backup<tab>*<tab>Backup

As with all other Interchange database source files, the placement of the
tabs is significant.

You could also simply delete that line altogether.

Make sure to restart Interchange so your change takes effect.

This problem has been fixed in Interchange 4.6.4, to be released shortly.
As well as blocking password access on that group, there are now also
tighter checks on login attempts. Group logins, user names with invalid
characters, and blank passwords will all be rejected without consulting
the access database.

Many thanks to Jud Harris <jud-lists@copernica.com> for finding and
reporting this problem on the interchange-users list:

http://lists.akopia.com/pipermail/interchange-users/2001-March/005939.html

Jon



_______________________________________________
Interchange-announce mailing list
Interchange-announce@lists.akopia.com
http://lists.akopia.com/mailman/listinfo/interchange-announce

-------------------------------------------------------





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.