[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040507235310.98589.qmail@web11409.mail.yahoo.com>
From: xillwillx at yahoo.com (Will Image)
Subject: Multiple vulnerabilities in 'pizza_party'
avoid the noid
--a- "H. Morrow Long" <morrow.long@...e.edu> wrote:
> Product: pizza_party
> URL:
> http://www.beigerecords.com/cory/pizza_party/
> Version: pizza_party 0.1.beta and earlier
> Risk: Multiple vulnerabilities (high)
>
> Description:
>
> pizza_party is a Perl based command line tool that
> provides a non-Web
> interface to
> Dominos Pizza's QuikOrder(TM) website pizza ordering
> service by using
> HTTP over
> the Internet.
>
> It is third-party open-soruce software, developed by
> an individual and
> unsupported by
> Dominos Pizza.
>
> Available at:
>
http://www.beigerecords.com/cory/pizza_party/download/pizza_party
>
> -0.1.b.tar.gz
>
> I believe it may now be in use internally at a large
> number of
> corporate organizations
> (primarily by hard-core coder types who are too
> focused on the task at
> hand to get up
> and go out to get a pizza -- or even to lift up the
> phone to order
> one), and installations
> can also be found on the public Internet.
>
>
> The Problem:
>
> pizza_party is very bad about protecting the
> username and password for
> the Dominos Pizza QuikOrder website. This may lead
> to a multitude of
> vulnerabilities, the most dangerous being that 'ps'
> can be used to
> observe
> the command line input parameters on the stack
> passed via the shell.
>
> Also the non-SSL (unencrypted) web interface
> (http://www.dominos.quikorder.com)
> is used over the Internet, so anyone who can capture
> (sniff) the
> traffic could easily
> obtain the Dominos QuikOrder username and password
> from the standard
> base64-
> encoded POST to the website.
>
> Either would allow for individuals other than the
> owner of the Dominos
> Pizza
> account to order arbitrary pizzas (with random
> toppings even) via the
> Dominos
> QuikOrder web server and have them delivered --
> resulting in chaos,
> anarchy
> and confusion.
>
> Additionally, there may be other issues resulting
> from the misuse of
> this package.
> It is impossible to tell what other uses might be
> made of the
> username/password
> pair stolen (it might be used by the use for all of
> their accounts on
> the Web f'instance).
>
> Also note that as the order is sent unencrypted it
> may be possible for
> a MITM attack
> to tamper with the order (potentially adding
> anchovies, onions or other
> undesirables).
>
> The Fixes:
>
> 1. pizza_party should use HTTP over SSL to order the
> pizza's from
> Dominos
> 'secure' QuikOrder website:
> https://www.dominos.quikorder.com/
>
> Unfortunately there are some problems with the Web
> certificate for
> this site.
>
> 2. pizza_party should prompt the command line user
> for the username and
> password and read them from /dev/tty rather than
> accept them as params
> on the command line.
>
> 3. pizza_party should also overwrite the store of
> the username and
> password
> (or encrypt them) when they are in memory or an
> attacker could steal
> them
> from RAM, or a swapfile on disk.
>
> - H. Morrow Long, CISSP, CISM
> University Information Security Officer
> Director -- Information Security Office
> Yale University, ITS
>
> ATTACHMENT part 2 application/pkcs7-signature
name=smime.p7s
__________________________________
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs
http://hotjobs.sweepstakes.yahoo.com/careermakeover
Powered by blists - more mailing lists