mailing list archives
Multiple vulnerabilities in 'pizza_party'
From: "H. Morrow Long" <morrow.long () yale edu>
Date: Fri, 7 May 2004 16:17:37 -0400
Version: pizza_party 0.1.beta and earlier
Risk: Multiple vulnerabilities (high)
pizza_party is a Perl based command line tool that provides a non-Web
Dominos Pizza's QuikOrder(TM) website pizza ordering service by using
It is third-party open-soruce software, developed by an individual and
I believe it may now be in use internally at a large number of
(primarily by hard-core coder types who are too focused on the task at
hand to get up
and go out to get a pizza -- or even to lift up the phone to order
one), and installations
can also be found on the public Internet.
pizza_party is very bad about protecting the username and password for
the Dominos Pizza QuikOrder website. This may lead to a multitude of
vulnerabilities, the most dangerous being that 'ps' can be used to
the command line input parameters on the stack passed via the shell.
Also the non-SSL (unencrypted) web interface
is used over the Internet, so anyone who can capture (sniff) the
traffic could easily
obtain the Dominos QuikOrder username and password from the standard
encoded POST to the website.
Either would allow for individuals other than the owner of the Dominos
account to order arbitrary pizzas (with random toppings even) via the
QuikOrder web server and have them delivered -- resulting in chaos,
Additionally, there may be other issues resulting from the misuse of
It is impossible to tell what other uses might be made of the
pair stolen (it might be used by the use for all of their accounts on
the Web f'instance).
Also note that as the order is sent unencrypted it may be possible for
a MITM attack
to tamper with the order (potentially adding anchovies, onions or other
1. pizza_party should use HTTP over SSL to order the pizza's from
'secure' QuikOrder website: https://www.dominos.quikorder.com/
Unfortunately there are some problems with the Web certificate for
2. pizza_party should prompt the command line user for the username and
password and read them from /dev/tty rather than accept them as params
on the command line.
3. pizza_party should also overwrite the store of the username and
(or encrypt them) when they are in memory or an attacker could steal
from RAM, or a swapfile on disk.
- H. Morrow Long, CISSP, CISM
University Information Security Officer
Director -- Information Security Office
Yale University, ITS
- Multiple vulnerabilities in 'pizza_party' H. Morrow Long (May 07)