Doug Alcorn suppressed wrote: > "Kevin Walsh" <suppressed> writes: > >> Doug Alcorn suppressed wrote: >>> I applied the patch and it half-way works. It >>> prevents the interpreting of the variable in the main >>> body; however, the page still has the interpreted >>> variable in the page title. >>> >> You are probably using @@MV_PREV_PAGE@@ instead of [subject] in >> parts of your missing.html. Either correct it to use [subject] or >> upgrade to a version of Interchange that will trap attempts to >> exploit the problems. I suggest doing both. >> >> @@MV_PREV_PAGE@@ was patched some time ago. A new version to cover >> [subject] will be released soon. It was about to be released anyway. > > I don't doubt what you say, I'm just having a hard > time figuring out what to do about it. I'm running > Interchange 5.0.0-1 from Racke's personal debian > archive. I did a grep MV_PREV_PAGE in my catalog's > pages directory with no hits. What else can I change? Actually, that is too far, grep at catroot, as it is in special_pages/missing.html, not pages/. Things like this cannot be avoided all the time, that is why it is imperitive to make an effort to keep senstive clear data off a web server entirely. http://www.icdevgroup.org/pipermail/interchange-users/2003-March/032105.html (Note: AuthorizeNet no longer allows cc numbers to be downloaded in the clear). Paul _______________________________________________ interchange-users mailing list suppressed http://www.icdevgroup.org/mailman/listinfo/interchange-users
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.