Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: ichang.htm

InterChange Passwordless Account



Vulnerability

    Interchange

Affected

    Interchange versions 4.5.3 through 4.6.3

Description

    Jon Jensen found following.  A serious security vulnerability  has
    been found  in the  default installation  of the  Interchange demo
    stores   'barry',   'basic',   and   'construct'   distributed  in
    Interchange versions 4.5.3 through 4.6.3.

    Using a group  login that had  no password set  by default, it  is
    possible to log  in to the  back-end administration area  and view
    and alter products, orders, and customer information.

    Jud Harris found this originally.

Solution

    If you set up a store based on one of those demos and did not
    remove all default user and group accounts, you should
    immediately make the following change.

    In  all  installed  catalog  directories,  as  well as the catalog
    templates  in  the  Interchange   software  directory,  edit   the
    products/access.asc file, changing this line:

        :backup<tab><tab>Backup

    to look like this:

        :backup<tab>*<tab>Backup

    As with all other Interchange database source files, the placement
    of the  tabs is  significant.   You could  also simply delete that
    line altogether.  Make sure to restart Interchange so your  change
    takes effect.

    This problem has been fixed  in Interchange 4.6.4, to be  released
    shortly.   As  well  as  blocking  password  access on that group,
    there  are  now  also  tighter  checks  on  login attempts.  Group
    logins, user  names with  invalid characters,  and blank passwords
    will all be rejected without consulting the access database.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH