[Date Prev][Date Next][Thread Prev][Thread Next][Interchange by date ][Interchange by thread ]

Re: [ic] No User Name / Password Needed for Admin Area

To: <interchange-users@developer.akopia.com>
Subject: Re: [ic] No User Name / Password Needed for Admin Area
From: Jon Jensen <jon@redhat.com>
Date: Fri Jun 8 02:29:00 2001
In-Reply-To: <5.0.2.1.2.20010608000945.0404d070@www.yanmardirect.com>
List-Archive: <http://lists.akopia.com/pipermail/interchange-users/>
List-Help: <mailto:interchange-users-request@lists.akopia.com?subject=help>
List-Id: Interchange Users (high volume) <interchange-users.lists.akopia.com>
List-Post: <mailto:interchange-users@lists.akopia.com>
List-Subscribe: <http://lists.akopia.com/mailman/listinfo/interchange-users>,<mailto:interchange-users-request@lists.akopia.com?subject=subscribe>
List-Unsubscribe: <http://lists.akopia.com/mailman/listinfo/interchange-users>,<mailto:interchange-users-request@lists.akopia.com?subject=unsubscribe>
Reply-To: interchange-users@lists.akopia.com
Sender: interchange-users-admin@lists.akopia.com

On Fri, 8 Jun 2001, Christopher VanOosterhout wrote:

> I originally installed Interchange about five months ago.  Using the
> version then available from Akopia.
>
> It included the construct template.
>
> However, once I installed the program I created a store using the
> instructions in the Akopia document called: "Interchange: Catalog--Building
> Tutorial."

You mean you used the catalog tutorial for a *real* store? Instead of
construct? The tutorial was never meant to be the basis for a real store.
Nobody's ever audited it for security, it doesn't encrypt orders, etc.
etc. I thought we made ample warning about that in the tutorial. I guess
we'll have to warn louder. But congratulations on building a store from
such humble beginnings. :)

> Is the admin area automatically open by default?
>
> I notice when I try to get into the admin area of the construct store on
> the same server it asks me for a user name and password.  However if the
> /admin/index.html gets tacked on to the end of one of the other stores, it
> allows people into the area without asking for a user name and password.

It looks like you've found a new security vulnerability. If the access
database does not exist (is not defined at all by catalog.cfg or its
includes), then you get wide-open access.

About the only way you'd find yourself in this situation is by building a
catalog from scratch but leaving the admin UI enabled.

> Eventually I would possibly like to use the admin area, however right now
> ... especially if it allows anyone in to alter it ... I would like to
> disconnect it or cover it by a password.

You should go into interchange.cfg right away and comment out "Variable
UI 1" by putting '#' at the beginning of the line. Then restart and make
sure the admin is no longer available.

In the future I think we'll have the admin pages deny access if there's no
access database at all.

Jon

References:
- Re: [ic] No User Name / Password Needed for Admin Area
  - From: Christopher VanOosterhout <chris@vanoosterhout.com>

Prev by Date: Re: [ic] No User Name / Password Needed for Admin Area
Next by Date: [ic] Content problem
Prev by thread: Re: [ic] No User Name / Password Needed for Admin Area
Next by thread: [ic] Content problem
Index(es):
- Date
- Thread