lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 7 May 2004 16:53:10 -0700 (PDT)
From: Will Image <xillwillx@...oo.com>
To: "H. Morrow Long" <morrow.long@...e.edu>, bugtraq@...urityfocus.com
Cc: vulnwatch@...nwatch.org, full-disclosure@...ts.netsys.com
Subject: Re: Multiple vulnerabilities in 'pizza_party'


avoid the noid





--a- "H. Morrow Long" <morrow.long@...e.edu> wrote:
> Product:        pizza_party
> URL:             
> http://www.beigerecords.com/cory/pizza_party/
> Version:        pizza_party 0.1.beta and earlier
> Risk:              Multiple vulnerabilities (high)
> 
> Description:
> 
> pizza_party is a Perl based command line tool that
> provides a non-Web  
> interface to
> Dominos Pizza's QuikOrder(TM) website pizza ordering
> service by using  
> HTTP over
> the Internet.
> 
> It is third-party open-soruce software, developed by
> an individual and  
> unsupported by
> Dominos Pizza.
> 
> Available at:
>
http://www.beigerecords.com/cory/pizza_party/download/pizza_party
> 
> -0.1.b.tar.gz
> 
> I believe it may now be in use internally at a large
> number of  
> corporate organizations
> (primarily by hard-core coder types who are too
> focused on the task at  
> hand to get up
> and go out to get a pizza -- or even to lift up the
> phone to order  
> one), and installations
> can also be found on the public Internet.
> 
> 
> The Problem:
> 
> pizza_party is very bad about protecting the
> username and password for
> the Dominos Pizza QuikOrder website. This may lead
> to a multitude of
> vulnerabilities, the most dangerous being that 'ps'
> can be used to  
> observe
> the command line input parameters on the stack
> passed via the shell.
> 
> Also the non-SSL (unencrypted) web interface  
> (http://www.dominos.quikorder.com)
> is used over the Internet, so anyone who can capture
> (sniff) the  
> traffic could easily
> obtain the Dominos QuikOrder username and password
> from the standard  
> base64-
> encoded POST to the website.
> 
> Either would allow for individuals other than the
> owner of the Dominos  
> Pizza
> account to order arbitrary pizzas (with random
> toppings even) via the  
> Dominos
> QuikOrder web server and have them delivered  --
> resulting in chaos,  
> anarchy
> and confusion.
> 
> Additionally, there may be other issues resulting
> from the misuse of  
> this package.
> It is impossible to tell what other uses might be
> made of the  
> username/password
> pair stolen (it might be used by the use for all of
> their accounts on  
> the Web f'instance).
> 
> Also note that as the order is sent unencrypted it
> may be possible for  
> a MITM attack
> to tamper with the order (potentially adding
> anchovies, onions or other  
> undesirables).
> 
> The Fixes:
> 
> 1.	pizza_party should use HTTP over SSL to order the
> pizza's from  
> Dominos
> 	'secure' QuikOrder website:
> https://www.dominos.quikorder.com/
> 
> 	Unfortunately there are some problems with the Web
> certificate for  
> this site.
> 
> 2.	pizza_party should prompt the command line user
> for the username and
> 	password and read them from /dev/tty rather than
> accept them as params
> 	on the command line.
> 
> 3.	pizza_party should also overwrite the store of
> the username and  
> password
> 	(or encrypt them) when they are in memory or an
> attacker could steal  
> them
> 	from RAM, or a swapfile on disk.
> 
> - H. Morrow Long, CISSP, CISM
>    University Information Security Officer
>    Director -- Information Security Office
>    Yale University, ITS
> 

> ATTACHMENT part 2 application/pkcs7-signature
name=smime.p7s




	
		
__________________________________
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs  
http://hotjobs.sweepstakes.yahoo.com/careermakeover 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists