--- Jon Jensen <suppressed> wrote: > On Mon, 29 Mar 2004, Barry Treahy, Jr. wrote: > > > >All versions of Interchange (4.8.x, 5.0.x, 5.1.x) > contain a security hole > > >which allows an attacker to expose arbitrary > variable contents by using > > >an URL like > http://shop.example.com/cgi-bin/store/__SQLUSER__. > > > > > >All Interchange applications using the standard > "missing" special page > > >from the demo catalog or a similar one are > vulnerable to this attack. > > >The attacker may learn the SQL access information > for your Interchange > > >application and use this information to read and > manipulate sensitive > > >data. > > > > > >Attached are patches for the following > Interchange versions: > > > > > >4.8.x: Page-4.8.diff > > > > > > > > I manually applied this patch to the 4.8.6 system > I have running, > > restarted IC, flushed my browser cache and still > seeing the same > > results... any thoughts? > > I believe this is because earlier versions of 4.8.x > had a missing.html > that used [tmp]...[/tmp] to set the page name, which > causes > reinterpolation of the variable. That was changed > for 4.8.8 in December. > > The safest thing to do is remove all > @@MV_PREV_PAGE@@ and [subject] from > your missing.html, especially if you're using an > older version of IC and > may not have applied other security patches before > this one. > > Jon So I am safe without the patch if I don't use @@MV_PREV_PAGE@@ and [subject] at all? - Grant __________________________________ Do you Yahoo!? Yahoo! Finance Tax Center - File online. File on time. http://taxes.yahoo.com/filing.html _______________________________________________ interchange-users mailing list suppressed http://www.icdevgroup.org/mailman/listinfo/interchange-users
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.