lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <95AF4064-A063-11D8-959E-000A95D9FBB6@yale.edu>
From: morrow.long at yale.edu (H. Morrow Long)
Subject: Multiple vulnerabilities in 'pizza_party'

Product:        pizza_party
URL:              http://www.beigerecords.com/cory/pizza_party/
Version:        pizza_party 0.1.beta and earlier
Risk:              Multiple vulnerabilities (high)

Description:

pizza_party is a Perl based command line tool that provides a non-Web  
interface to
Dominos Pizza's QuikOrder(TM) website pizza ordering service by using  
HTTP over
the Internet.

It is third-party open-soruce software, developed by an individual and  
unsupported by
Dominos Pizza.

Available at:
http://www.beigerecords.com/cory/pizza_party/download/pizza_party 
-0.1.b.tar.gz

I believe it may now be in use internally at a large number of  
corporate organizations
(primarily by hard-core coder types who are too focused on the task at  
hand to get up
and go out to get a pizza -- or even to lift up the phone to order  
one), and installations
can also be found on the public Internet.


The Problem:

pizza_party is very bad about protecting the username and password for
the Dominos Pizza QuikOrder website. This may lead to a multitude of
vulnerabilities, the most dangerous being that 'ps' can be used to  
observe
the command line input parameters on the stack passed via the shell.

Also the non-SSL (unencrypted) web interface  
(http://www.dominos.quikorder.com)
is used over the Internet, so anyone who can capture (sniff) the  
traffic could easily
obtain the Dominos QuikOrder username and password from the standard  
base64-
encoded POST to the website.

Either would allow for individuals other than the owner of the Dominos  
Pizza
account to order arbitrary pizzas (with random toppings even) via the  
Dominos
QuikOrder web server and have them delivered  -- resulting in chaos,  
anarchy
and confusion.

Additionally, there may be other issues resulting from the misuse of  
this package.
It is impossible to tell what other uses might be made of the  
username/password
pair stolen (it might be used by the use for all of their accounts on  
the Web f'instance).

Also note that as the order is sent unencrypted it may be possible for  
a MITM attack
to tamper with the order (potentially adding anchovies, onions or other  
undesirables).

The Fixes:

1.	pizza_party should use HTTP over SSL to order the pizza's from  
Dominos
	'secure' QuikOrder website:	https://www.dominos.quikorder.com/

	Unfortunately there are some problems with the Web certificate for  
this site.

2.	pizza_party should prompt the command line user for the username and
	password and read them from /dev/tty rather than accept them as params
	on the command line.

3.	pizza_party should also overwrite the store of the username and  
password
	(or encrypt them) when they are in memory or an attacker could steal  
them
	from RAM, or a swapfile on disk.

- H. Morrow Long, CISSP, CISM
   University Information Security Officer
   Director -- Information Security Office
   Yale University, ITS
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3035 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040507/c5e45701/smime.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ