On Mon, 29 Mar 2004, Barry Treahy, Jr. wrote: > >All versions of Interchange (4.8.x, 5.0.x, 5.1.x) contain a security hole > >which allows an attacker to expose arbitrary variable contents by using > >an URL like http://shop.example.com/cgi-bin/store/__SQLUSER__. > > > >All Interchange applications using the standard "missing" special page > >from the demo catalog or a similar one are vulnerable to this attack. > >The attacker may learn the SQL access information for your Interchange > >application and use this information to read and manipulate sensitive > >data. > > > >Attached are patches for the following Interchange versions: > > > >4.8.x: Page-4.8.diff > > > > > I manually applied this patch to the 4.8.6 system I have running, > restarted IC, flushed my browser cache and still seeing the same > results... any thoughts? I believe this is because earlier versions of 4.8.x had a missing.html that used [tmp]...[/tmp] to set the page name, which causes reinterpolation of the variable. That was changed for 4.8.8 in December. The safest thing to do is remove all @@MV_PREV_PAGE@@ and [subject] from your missing.html, especially if you're using an older version of IC and may not have applied other security patches before this one. Jon _______________________________________________ interchange-users mailing list suppressed http://www.icdevgroup.org/mailman/listinfo/interchange-users
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.