On Mon, 29 Mar 2004 08:25:14 -0700 "Barry Treahy, Jr." <suppressed> wrote: > Stefan Hornburg wrote: > > >Dear Interchange community ! > > > >All versions of Interchange (4.8.x, 5.0.x, 5.1.x) contain a security hole > >which allows an attacker to expose arbitrary variable contents by using > >an URL like http://shop.example.com/cgi-bin/store/__SQLUSER__. > > > >All Interchange applications using the standard "missing" special page > >from the demo catalog or a similar one are vulnerable to this attack. > >The attacker may learn the SQL access information for your Interchange > >application and use this information to read and manipulate sensitive > >data. > > > >Attached are patches for the following Interchange versions: > > > >4.8.x: Page-4.8.diff > > > > > I manually applied this patch to the 4.8.6 system I have running, > restarted IC, flushed my browser cache and still seeing the same > results... any thoughts? I'll investigate this. Do you see an error message in your global log file ? Racke -- LinuXia Systems => http://www.linuxia.de/ Expert Interchange Consulting and System Administration ICDEVGROUP => http://www.icdevgroup.org/ Interchange Development Team _______________________________________________ interchange-users mailing list suppressed http://www.icdevgroup.org/mailman/listinfo/interchange-users
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.