Full Disclosure: Re: Multiple vulnerabilities in 'pizza_party'

[Will Image <xillwillx () yahoo com>]

avoid the noid





--a- "H. Morrow Long" <morrow.long () yale edu> wrote:
> Product:        pizza_party
> URL:             
> http://www.beigerecords.com/cory/pizza_party/
> Version:        pizza_party 0.1.beta and earlier
> Risk:              Multiple vulnerabilities (high)
>
> Description:
>
> pizza_party is a Perl based command line tool that
> provides a non-Web  
> interface to
> Dominos Pizza's QuikOrder(TM) website pizza ordering
> service by using  
> HTTP over
> the Internet.
>
> It is third-party open-soruce software, developed by
> an individual and  
> unsupported by
> Dominos Pizza.
>
> Available at:
http://www.beigerecords.com/cory/pizza_party/download/pizza_party
> -0.1.b.tar.gz
>
> I believe it may now be in use internally at a large
> number of  
> corporate organizations
> (primarily by hard-core coder types who are too
> focused on the task at  
> hand to get up
> and go out to get a pizza -- or even to lift up the
> phone to order  
> one), and installations
> can also be found on the public Internet.
>
>
> The Problem:
>
> pizza_party is very bad about protecting the
> username and password for
> the Dominos Pizza QuikOrder website. This may lead
> to a multitude of
> vulnerabilities, the most dangerous being that 'ps'
> can be used to  
> observe
> the command line input parameters on the stack
> passed via the shell.
>
> Also the non-SSL (unencrypted) web interface  
> (http://www.dominos.quikorder.com)
> is used over the Internet, so anyone who can capture
> (sniff) the  
> traffic could easily
> obtain the Dominos QuikOrder username and password
> from the standard  
> base64-
> encoded POST to the website.
>
> Either would allow for individuals other than the
> owner of the Dominos  
> Pizza
> account to order arbitrary pizzas (with random
> toppings even) via the  
> Dominos
> QuikOrder web server and have them delivered  --
> resulting in chaos,  
> anarchy
> and confusion.
>
> Additionally, there may be other issues resulting
> from the misuse of  
> this package.
> It is impossible to tell what other uses might be
> made of the  
> username/password
> pair stolen (it might be used by the use for all of
> their accounts on  
> the Web f'instance).
>
> Also note that as the order is sent unencrypted it
> may be possible for  
> a MITM attack
> to tamper with the order (potentially adding
> anchovies, onions or other  
> undesirables).
>
> The Fixes:
>
> 1.    pizza_party should use HTTP over SSL to order the
> pizza's from  
> Dominos
>       'secure' QuikOrder website:
> https://www.dominos.quikorder.com/
>
>       Unfortunately there are some problems with the Web
> certificate for  
> this site.
>
> 2.    pizza_party should prompt the command line user
> for the username and
>       password and read them from /dev/tty rather than
> accept them as params
>       on the command line.
>
> 3.    pizza_party should also overwrite the store of
> the username and  
> password
>       (or encrypt them) when they are in memory or an
> attacker could steal  
> them
>       from RAM, or a swapfile on disk.
>
> - H. Morrow Long, CISSP, CISM
>    University Information Security Officer
>    Director -- Information Security Office
>    Yale University, ITS
> ATTACHMENT part 2 application/pkcs7-signature
name=smime.p7s




        
                
__________________________________
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs  
http://hotjobs.sweepstakes.yahoo.com/careermakeover 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html