Openhack gets cracked!

Seven days after the start of our Openhack security competition at www.openhack.
Written by Timothy Dyck, Contributor

Seven days after the start of our Openhack security competition at www.openhack.com, we've had our first successful crack, of the e-commerce storefront. The rest of the site, including the Web server, mail server and database, is still secure and remains a target of attack.

On July 3, Austrian hacker Alexander Lazic penetrated our e-commerce storefront package, Akopia Inc.'s Mini Vend, by finding and exploiting two previously unknown application security holes. (The package, including new security updates, is available at www.minivend.com.)

Also on July 3, we informed Mini Vend author Mike Heins of the security problems. Heins, who is based in Oxford, Ohio, posted a workaround and a patch to the MiniVend users mailing list on the morning of July 5 and told us that an updated version of Mini Vend—without the holes—will shortly be posted on the product's Web site.

The new security information and updates will be vital for the many MiniVend users on the Web. Heins estimates that between 5,000 and 10,000 people have deployed the product and that it is live on tens of thousands of sites. It's been downloaded nearly 1 million times, and "a fair number" of these sites will be vulnerable to this new crack, Heins said.

The simplest way MiniVend sites can protect their storefronts is to delete the VIEW_PAGE.HTML file from their sites because it has a security hole.

Here's how Lazic got into the site. After standard network scans turned up nothing promising, he identified the software we used for our storefront—MiniVend. He then downloaded the Mini Vend code, which is freely available, and went through it looking for security holes.

The first flaw Lazic found lies in the VIEW_PAGE.HTML file. It is part of Mini Vend's sample store (highlighting the dangers of sample code) and doesn't check for a pipe (a vertical bar) in a passed file name. This means an operating system command can be appended to a file name.

VIEW_PAGE.HTML then calls a Mini Vend subroutine called READFILE in the file UTIL.PM, which has a second hole: The code uses the Perl system call OPEN in an insecure way to check if the file exists. Specifically, the OPEN command, as used in UTIL.PM, passes its input to a command shell. If this input has a pipe in it followed by a command, the command gets executed using the permissions of the MiniVend program.

"That's a wrong thing to do," Heins said. "MiniVend is almost five years old, and some [of the code] has just stayed there. I probably would not have done it that way if I had written that particular routine in the last few years."

At this point, Lazic could run any operating system command as the MiniVend user. He renamed the original store home page and then used the Unix ECHO command to create a new store home page in its place.

We could have prevented this part by making MiniVend's templates read-only for the MiniVend user. Defense in depth is the mantra in security, and we have made these file permission changes.

Note that Lazic did not get root access on our e-commerce server. We have installed all of the operating system security patches that could affect our configurations and, as far as we know, are protected against all known local and remote root exploits.

West Coast Technical Director Timothy Dyck can be reached at timothy_dyck @ziffdavis.com.

Editorial standards