Bugtraq mailing list archives
FW: Akopia Interchange E-commerce Package Demo Files Vulnerability
From: David Kennedy CISSP <david.kennedy () ACM ORG>
Date: Fri, 23 Mar 2001 12:01:59 -0500
[Interchange-announce] Security advisory [Interchange-announce] Security advisory Jon Jensen jon () akopia com Thu, 22 Mar 2001 19:20:21 -0600 (CST) A serious security vulnerability has been found in the default installation of the Interchange demo stores 'barry', 'basic', and 'construct' distributed in Interchange versions 4.5.3 through 4.6.3. Using a group login that had no password set by default, it is possible to log in to the back-end administration area and view and alter products, orders, and customer information. If you set up a store based on one of those demos and did not remove all default user and group accounts, you should immediately make the following change: In all installed catalog directories, as well as the catalog templates in the Interchange software directory, edit the products/access.asc file, changing this line: :backup<tab><tab>Backup to look like this: :backup<tab>*<tab>Backup As with all other Interchange database source files, the placement of the tabs is significant. You could also simply delete that line altogether. Make sure to restart Interchange so your change takes effect. This problem has been fixed in Interchange 4.6.4, to be released shortly. As well as blocking password access on that group, there are now also tighter checks on login attempts. Group logins, user names with invalid characters, and blank passwords will all be rejected without consulting the access database. Many thanks to Jud Harris <jud-lists () copernica com> for finding and reporting this problem on the interchange-users list: http://lists.akopia.com/pipermail/interchange-users/2001-March/005939.html Jon -- Dave Kennedy CISSP Director of Research Services TruSecure Corp. http://www.trusecure.com
Current thread:
- FW: Akopia Interchange E-commerce Package Demo Files Vulnerability David Kennedy CISSP (Mar 23)