lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 7 May 2004 16:53:10 -0700 (PDT) From: Will Image <xillwillx@...oo.com> To: "H. Morrow Long" <morrow.long@...e.edu>, bugtraq@...urityfocus.com Cc: vulnwatch@...nwatch.org, full-disclosure@...ts.netsys.com Subject: Re: Multiple vulnerabilities in 'pizza_party' avoid the noid --a- "H. Morrow Long" <morrow.long@...e.edu> wrote: > Product: pizza_party > URL: > http://www.beigerecords.com/cory/pizza_party/ > Version: pizza_party 0.1.beta and earlier > Risk: Multiple vulnerabilities (high) > > Description: > > pizza_party is a Perl based command line tool that > provides a non-Web > interface to > Dominos Pizza's QuikOrder(TM) website pizza ordering > service by using > HTTP over > the Internet. > > It is third-party open-soruce software, developed by > an individual and > unsupported by > Dominos Pizza. > > Available at: > http://www.beigerecords.com/cory/pizza_party/download/pizza_party > > -0.1.b.tar.gz > > I believe it may now be in use internally at a large > number of > corporate organizations > (primarily by hard-core coder types who are too > focused on the task at > hand to get up > and go out to get a pizza -- or even to lift up the > phone to order > one), and installations > can also be found on the public Internet. > > > The Problem: > > pizza_party is very bad about protecting the > username and password for > the Dominos Pizza QuikOrder website. This may lead > to a multitude of > vulnerabilities, the most dangerous being that 'ps' > can be used to > observe > the command line input parameters on the stack > passed via the shell. > > Also the non-SSL (unencrypted) web interface > (http://www.dominos.quikorder.com) > is used over the Internet, so anyone who can capture > (sniff) the > traffic could easily > obtain the Dominos QuikOrder username and password > from the standard > base64- > encoded POST to the website. > > Either would allow for individuals other than the > owner of the Dominos > Pizza > account to order arbitrary pizzas (with random > toppings even) via the > Dominos > QuikOrder web server and have them delivered -- > resulting in chaos, > anarchy > and confusion. > > Additionally, there may be other issues resulting > from the misuse of > this package. > It is impossible to tell what other uses might be > made of the > username/password > pair stolen (it might be used by the use for all of > their accounts on > the Web f'instance). > > Also note that as the order is sent unencrypted it > may be possible for > a MITM attack > to tamper with the order (potentially adding > anchovies, onions or other > undesirables). > > The Fixes: > > 1. pizza_party should use HTTP over SSL to order the > pizza's from > Dominos > 'secure' QuikOrder website: > https://www.dominos.quikorder.com/ > > Unfortunately there are some problems with the Web > certificate for > this site. > > 2. pizza_party should prompt the command line user > for the username and > password and read them from /dev/tty rather than > accept them as params > on the command line. > > 3. pizza_party should also overwrite the store of > the username and > password > (or encrypt them) when they are in memory or an > attacker could steal > them > from RAM, or a swapfile on disk. > > - H. Morrow Long, CISSP, CISM > University Information Security Officer > Director -- Information Security Office > Yale University, ITS > > ATTACHMENT part 2 application/pkcs7-signature name=smime.p7s __________________________________ Do you Yahoo!? Win a $20,000 Career Makeover at Yahoo! HotJobs http://hotjobs.sweepstakes.yahoo.com/careermakeover _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists