Skip to main content.

Interchange News

  • Interchange security releases: 5.7.2, 5.6.2, 5.4.4

    Posted on September 17, 2009 by Jon Jensen

    Today we are releasing three new versions of Interchange:

    • Interchange 5.7.2 is the latest development version representing 10 months of improvements and an impressive list of new features to improve developer efficiency and fix bugs.
    • Interchange 5.6.2 is the latest stable version which includes the most important changes backported to provide the most stability possible for those upgrading from versions 5.6.0 or 5.6.1.
    • Interchange 5.4.4 is an update of the previous stable series of releases provided only to fix a security problem.

    All three releases provide a new security feature to close a serious security vulnerability which we will describe here:

    A remotely exploitable security vulnerability has been discovered where any table configured within Interchange could be viewed remotely by an unauthenticated user, by using a specially crafted search request.

    This vulnerability affects all previous versions of Interchange. Even without using the search structure provided in the default install, your catalog could still be vulnerable.

    To protect against exploits, we strongly recommend all public Interchange sites upgrade and use the new configuration directive AllowRemoteSearch.

    AllowRemoteSearch limits what database tables are remotely searchable and should be specified in each catalog configuration. It defaults to:

    AllowRemoteSearch products variants options

    Any table specified in this option will be remotely searchable, and you should not permit any table with sensitive information to be searched in this way. You should carefully consider the implications of adding any further tables to this configuration option.

    Remote searches may have been used by your existing catalog. These should continue working without any changes as long as they only search tables that are permitted by the AllowRemoteSearch directive. You should carefully examine your catalog for uses of the search form action, or pages which submit a form to a page called search or scan. If they specify a search file other than products, variants, or options, you should consider rewriting that page to just accept the search terms via CGI parameters, and not the entire search. Please consult the documentation on in-page searches.

    If your catalog makes use of ActionMaps that perform searches, these should continue to work as intended as long as they search a table allowed by AllowRemoteSearch. However, you should consider updating them and the ncheck_category Sub in catalog.cfg to use the new search tag.

    In the standard and foundation catalogs, the “lost password” feature makes use of the remote search feature. We recommend that you delete catalog/pages/query/get_password.html from your catalog, and replace catalog/pages/query/lost_password.html with an updated version from one of these new releases. As an alternative, see the UPGRADE document for a patch you may apply to work around the problem temporarily.

    For more details see the section “REMOTE SEARCHING” in the UPGRADE document.

    Packages are available on this site for download. We thank Mark Lipscombe for finding and fixing this vulnerability and for his other contributions to these releases.

News archive