Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pizza From the Command Line

Posted by michael on from the unix-can-do-*anything* dept.

Punk Walrus writes "Pizza Party is a free, text based CLI for ordering Domino's pizza via Quikorder, or for throwing pizza parties. It is distributed under the GNU General Public License, runs under most *nix shells, and can order pizza with only a few keystrokes. Includes video of actual ordering."

8 of 418 comments (clear)

  1. And ironically enough, Quikorder is flawed. by Tuxedo+Jack · · Score: 4, Informative

    You know all those one-time specials? The ones y ou only get as a new subscriber? You can get them infinitely.

    Just make a new Hotmail account for each order.

    The database is flawed in that it doesn't cross-verify addresses/credit cards with previous orders or e-mail addresses.

    Great for Pizza Hut - I used to get Big New Yorkers any way I liked for ten bucks plus tip back in the day.

    --

    Striking fear in the authors of godawful fanfiction, I am here, appearing in darkness, Tuxedo Jack!
  2. Re:Interesting by samoverton · · Score: 4, Informative

    already a GUI.

    How did you think the command line program ordered it? Magic?

  3. Video Mirror by chrispyman · · Score: 5, Informative

    Incase of /.'ing, here's a mirror of the ordering pizza video pizza_party.mpg.

  4. Pizza Party vulnerability by Anonymous Coward · · Score: 5, Informative

    Multiple vulnerabilities in 'pizza_party'

  5. for those of you in college areas by MoneyT · · Score: 4, Informative

    check out www.campusfood.com not a bad site, useful late at night when you're leaving the lab and on your way back to your dorm, schedule a delivery and it'll be there when you get there.

    --
    T Money
    World Domination with a plastic spoon since 1984
  6. RTFA your own article by phoxix · · Score: 4, Informative

    From the article itself ...

    Thomas Monaghan is an American billionaire who made a fortune from the Domino's Pizza chain. By the time he sold it, he had used the profits to finance and raise an ultra-right politico-religious imperium.

    Sunny Dubey

  7. Re:Don't Eat At Domino's, And Not Because Of The F by seichert · · Score: 3, Informative
    Thomas Monaghan does NOT own Domino's pizza anymore. He sold it to Bain Capital Inc. for $1 billion in 1998. Please mod the parent post down, it is certainly not informative.

    http://www.snopes.com/business/alliance/domino.asp

    --

    Stuart Eichert

  8. Vulns reported to [Full-Disclosure] by nfsilkey · · Score: 3, Informative

    This came to me at 3:17pm CST ...

    Product: pizza_party
    URL: http://www.beigerecords.com/cory/pizza_party/
    Ver sion: pizza_party 0.1.beta and earlier
    Risk: Multiple vulnerabilities (high)

    Description:

    pizza_party is a Perl based command line tool that provides a non-Web interface to
    Dominos Pizza's QuikOrder(TM) website pizza ordering service by using HTTP over
    the Internet.

    It is third-party open-soruce software, developed by an individual and unsupported by
    Dominos Pizza.

    Available at:
    http://www.beigerecords.com/cory/pizza_party/ downl oad/pizza_party -0.1.b.tar.gz

    I believe it may now be in use internally at a large number of corporate organizations
    (primarily by hard-core coder types who are too focused on the task at hand to get up
    and go out to get a pizza -- or even to lift up the phone to order one), and installations
    can also be found on the public Internet.

    The Problem:

    pizza_party is very bad about protecting the username and password for
    the Dominos Pizza QuikOrder website. This may lead to a multitude of
    vulnerabilities, the most dangerous being that 'ps' can be used to observe
    the command line input parameters on the stack passed via the shell.

    Also the non-SSL (unencrypted) web interface (http://www.dominos.quikorder.com)
    is used over the Internet, so anyone who can capture (sniff) the traffic could easily
    obtain the Dominos QuikOrder username and password from the standard base64-
    encoded POST to the website.

    Either would allow for individuals other than the owner of the Dominos Pizza
    account to order arbitrary pizzas (with random toppings even) via the Dominos
    QuikOrder web server and have them delivered -- resulting in chaos, anarchy
    and confusion.

    Additionally, there may be other issues resulting from the misuse of this package.
    It is impossible to tell what other uses might be made of the username/password
    pair stolen (it might be used by the use for all of their accounts on the Web f'instance).

    Also note that as the order is sent unencrypted it may be possible for a MITM attack
    to tamper with the order (potentially adding anchovies, onions or other undesirables).

    The Fixes:

    1. pizza_party should use HTTP over SSL to order the pizza's from Dominos
    'secure' QuikOrder website: https://www.dominos.quikorder.com/

    Unfortunately there are some problems with the Web certificate for this site.

    2. pizza_party should prompt the command line user for the username and
    password and read them from /dev/tty rather than accept them as params
    on the command line.

    3. pizza_party should also overwrite the store of the username and password
    (or encrypt them) when they are in memory or an attacker could steal them
    from RAM, or a swapfile on disk.

    - H. Morrow Long, CISSP, CISM
    University Information Security Officer
    Director -- Information Security Office
    Yale University, ITS