Full Disclosure mailing list archives
Re: Multiple vulnerabilities in 'pizza_party'
From: Will Image <xillwillx () yahoo com>
Date: Fri, 7 May 2004 16:53:10 -0700 (PDT)
avoid the noid --a- "H. Morrow Long" <morrow.long () yale edu> wrote:
Product: pizza_party URL: http://www.beigerecords.com/cory/pizza_party/ Version: pizza_party 0.1.beta and earlier Risk: Multiple vulnerabilities (high) Description: pizza_party is a Perl based command line tool that provides a non-Web interface to Dominos Pizza's QuikOrder(TM) website pizza ordering service by using HTTP over the Internet. It is third-party open-soruce software, developed by an individual and unsupported by Dominos Pizza. Available at:
http://www.beigerecords.com/cory/pizza_party/download/pizza_party
-0.1.b.tar.gz I believe it may now be in use internally at a large number of corporate organizations (primarily by hard-core coder types who are too focused on the task at hand to get up and go out to get a pizza -- or even to lift up the phone to order one), and installations can also be found on the public Internet. The Problem: pizza_party is very bad about protecting the username and password for the Dominos Pizza QuikOrder website. This may lead to a multitude of vulnerabilities, the most dangerous being that 'ps' can be used to observe the command line input parameters on the stack passed via the shell. Also the non-SSL (unencrypted) web interface (http://www.dominos.quikorder.com) is used over the Internet, so anyone who can capture (sniff) the traffic could easily obtain the Dominos QuikOrder username and password from the standard base64- encoded POST to the website. Either would allow for individuals other than the owner of the Dominos Pizza account to order arbitrary pizzas (with random toppings even) via the Dominos QuikOrder web server and have them delivered -- resulting in chaos, anarchy and confusion. Additionally, there may be other issues resulting from the misuse of this package. It is impossible to tell what other uses might be made of the username/password pair stolen (it might be used by the use for all of their accounts on the Web f'instance). Also note that as the order is sent unencrypted it may be possible for a MITM attack to tamper with the order (potentially adding anchovies, onions or other undesirables). The Fixes: 1. pizza_party should use HTTP over SSL to order the pizza's from Dominos 'secure' QuikOrder website: https://www.dominos.quikorder.com/ Unfortunately there are some problems with the Web certificate for this site. 2. pizza_party should prompt the command line user for the username and password and read them from /dev/tty rather than accept them as params on the command line. 3. pizza_party should also overwrite the store of the username and password (or encrypt them) when they are in memory or an attacker could steal them from RAM, or a swapfile on disk. - H. Morrow Long, CISSP, CISM University Information Security Officer Director -- Information Security Office Yale University, ITS
ATTACHMENT part 2 application/pkcs7-signature
name=smime.p7s __________________________________ Do you Yahoo!? Win a $20,000 Career Makeover at Yahoo! HotJobs http://hotjobs.sweepstakes.yahoo.com/careermakeover _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Multiple vulnerabilities in 'pizza_party' H. Morrow Long (May 07)
- Re: Multiple vulnerabilities in 'pizza_party' Will Image (May 07)
- Re: Multiple vulnerabilities in 'pizza_party' Valdis . Kletnieks (May 07)
- RE: Multiple vulnerabilities in 'pizza_party' Aditya, ALD [Aditya Lalit Deshmukh] (May 07)