Miva, Miva Script, Miva Empresa, Miva Mia amd Miva Merchant are registered trademarks of the Miva Corporation 		 
Ivo Truxa - truXoft control systems: advanced programming and custom IT solutions home / about / webdesign / Miva / automation / contact

http://mivo.truxoft.com
MIVO!
miva beyond limits
invert colors ] 
M I V O ! 
ABOUT 
WHAT'S NEW 
SECURITY 
RESOURCES 
MERCHANT 
HOSTING 
disclaimer 
  

MIVA®  SECURITY: Insecure Miva Templates #2

by Ivo Truxa, 03/13/2000

Form macro attack / URL macro attack / MvCALL DoS attack

Please read an introduction to the templates vulnerability series in the first article.

Also other Miva templates are in variance with Miva's own instructions: Security issues with macros. I would not spend more time on checking the templates, but I know there are other places where an intruder could penterate your system. Let's take another concrete example:

URL Macro attack
in the maillist.mv template

If somebody sees that you have the maillist.mv installed on your system, he can simply enter an URL similar to the following one to execute any Miva code of his own choice on your system. If you still have the templates in the default dir and you run Mia, you may want to try to click on the follwing link to see that it works. No worry, the example is harmless.

http://127.0.0.1/templates/maillist.mv?person="><P><MvEVAL%20EXPR="{mivaversion}"><MvEXIT>

Do you see the Miva version number? Then it works! Have a look at the first article about templates to get some ideas what more can happen to you! Remove the templates from your script folder immediately!

The worst on this example is that even a firewall would not protect you if you access such an URL on a malicious website or e-mail!


Solution?

Anytime you see a macro without the ':entities' attribute, you can be almost sure that there is a way to penetrate your system. Check all your scripts! Be sure that nobody can modify the variables of your macros. Your macros can still be abused even with ':entities' on, see the article about JavaScript vulnerabilities!

The best would be that Miva encodes all macros by default. Just in the exceptional case, that you really need a macro without ':entities', you could add something like ':no'. It should be configurable in the miva.conf to keep the backward compatibility!


Take Care!


top
   

Miva and some other terms used on this page are registerd trademarks of the Miva Corporation
copyright  truXoft  © 1997-2012