Interchange News
-
Interchange security releases: 5.7.2, 5.6.2, 5.4.4
Posted on September 17, 2009 by Jon Jensen
Today we are releasing three new versions of Interchange:
- Interchange 5.7.2 is the latest development version representing 10 months of improvements and an impressive list of new features to improve developer efficiency and fix bugs.
- Interchange 5.6.2 is the latest stable version which includes the most important changes backported to provide the most stability possible for those upgrading from versions 5.6.0 or 5.6.1.
- Interchange 5.4.4 is an update of the previous stable series of releases provided only to fix a security problem.
All three releases provide a new security feature to close a serious security vulnerability which we will describe here:
A remotely exploitable security vulnerability has been discovered where any table configured within Interchange could be viewed remotely by an unauthenticated user, by using a specially crafted search request.
This vulnerability affects all previous versions of Interchange. Even without using the search structure provided in the default install, your catalog could still be vulnerable.
To protect against exploits, we strongly recommend all public Interchange sites upgrade and use the new configuration directive AllowRemoteSearch.
AllowRemoteSearch limits what database tables are remotely searchable and should be specified in each catalog configuration. It defaults to:
AllowRemoteSearch products variants options
Any table specified in this option will be remotely searchable, and you should not permit any table with sensitive information to be searched in this way. You should carefully consider the implications of adding any further tables to this configuration option.
Remote searches may have been used by your existing catalog. These should continue working without any changes as long as they only search tables that are permitted by the AllowRemoteSearch directive. You should carefully examine your catalog for uses of the search form action, or pages which submit a form to a page called search or scan. If they specify a search file other than products, variants, or options, you should consider rewriting that page to just accept the search terms via CGI parameters, and not the entire search. Please consult the documentation on in-page searches.
If your catalog makes use of ActionMaps that perform searches, these should continue to work as intended as long as they search a table allowed by AllowRemoteSearch. However, you should consider updating them and the ncheck_category Sub in catalog.cfg to use the new search tag.
In the standard and foundation catalogs, the “lost password” feature makes use of the remote search feature. We recommend that you delete catalog/pages/query/get_password.html from your catalog, and replace catalog/pages/query/lost_password.html with an updated version from one of these new releases. As an alternative, see the UPGRADE document for a patch you may apply to work around the problem temporarily.
For more details see the section “REMOTE SEARCHING” in the UPGRADE document.
Packages are available on this site for download. We thank Mark Lipscombe for finding and fixing this vulnerability and for his other contributions to these releases.
News archive
- 2023-03-21: Interchange 3rd-party tax support for TaxJar & Avalara
- 2023-03-06: Alternate CGI link connector in Rust now available
- 2021-05-20: IRC chat channel #interchange moves to Libera Chat
- 2020-08-26: Marco Pessotto joins Interchange core developer team
- 2020-05-14: Admin XSS security vulnerabilities fixed (CVE-2020-12685)
- 2020-04-25: Project website refresh
- 2020-03-01: Interchange 5.12.0 release candidate 1
- 2018-11-22: Domain and server move
- 2016-01-06: Interchange 5.10.0 Released!
- 2015-12-30: 2015 Perl Dancer Conference reports
- 2015-08-20: New template for Interchange
- 2015-08-18: 2015 Perl Dancer Conference
- 2014-10-13: Core team changes
- 2014-08-22: Perl::Dancer Conference 2014
- 2014-07-07: Interchange 5.8.2 stable release
- 2014-07-02: Interchange6::Cart Hackathon on 14 July 2014
- 2014-06-25: Perusion developers release two new Bootstrap based templates for use with Interchange
- 2014-03-13: Interchange 5.8.1 stable release
- 2014-02-26: Interchange 6 Hackathon
- 2013-10-30: Ecommerce Innovation conference report
- 2013-07-19: Interchange 5.8.0 stable release
- 2013-03-18: eCommerce Innovations 2013 Conference
- 2013-02-13: Extensive Hall of Fame updates
- 2012-12-28: Josh Lavin joins Interchange core team
- 2011-06-12: Interchange 5.7.7 development release
- 2011-04-14: IRC Meeting Report
- 2011-03-28: Interchange IRC Meeting: April 14, 2011
- 2010-03-24: Interchange security releases: 5.7.6, 5.6.3, 5.4.5
- 2010-02-23: Interchange 5.7.5 development release
- 2009-12-09: Interchange 5.7.4 development release
- 2009-11-05: Interchange 5.7.3 development release
- 2009-09-17: Interchange security releases: 5.7.2, 5.6.2, 5.4.4
- 2009-08-23: Next Interchange community meeting
- 2009-08-13: David Christensen joins core team
- 2009-08-12: Payflow Pro legacy API retirement on September 1
- 2009-05-25: Interchange source code migrated to Git
- 2009-05-19: LinuxTag 2009
- 2009-05-13: Experimental UTF-8 branch
- 2008-12-05: JT Justman joins the Interchange core team
- 2008-11-13: Interchange 5.4.3, 5.6.1, 5.7.1 released
- 2008-06-01: Back from LinuxTag
- 2008-05-21: Interchange 5.6.0 released
- 2008-05-17: Interchange 5.5.3 development released
- 2008-05-08: Interchange at LinuxTag 2008!
- 2008-04-29: Interchange 5.5.2 development release available
- 2007-08-21: Interchange 5.5.1 development release available
- 2007-08-08: Bug Squashing Party
- 2007-06-18: New Debian Packages (5.4.2-3)
- 2007-06-13: Debian Packages for Etch
- 2007-04-05: Interchange goes to LinuxTag!
- 2007-02-27: Ron Phipps joins the Interchange core team
- 2007-02-07: Interchange 5.4.2 released
- 2006-08-28: New Developers pajamian and thunder
- 2006-05-26: Interchange 5.4.1 released
- 2006-03-28: Improved search system on www.icdevgroup.org
- 2006-03-27: [/page] and [/order] macros
- 2006-03-25: XMLDOCS documentation
- 2006-01-31: Development tree notice
- 2005-12-31: Interchange 5.4 release
- 2005-12-12: Interchange 5.3.3 developer release
- 2005-12-12: New ICDEVGROUP website
- 2005-11-23: Interchange 5.3.2 beta release available
- 2005-11-08: PayPal Pro Payments Module
- 2005-10-18: Interchange 5.4 (stable) release schedule
- 2005-09-23: Security flaw found in Interchange demo
- 2005-06-07: Admin UI Documentation
- 2004-05-05: Interchange 5.2.0 released
- 2004-04-20: Interchange 5.1.1 beta now available
- 2004-04-20: Business::OnlinePayment support for Interchange
- 2004-04-12: Interchange 5.1.0 beta released
- 2004-03-29: Interchange 5.0.1 and 4.8.9 released
- 2003-12-15: Interchange 5.0 released
- 2003-11-12: Interchange User fMRIDC.org in Infoworld Top 100
- 2003-10-31: Interchange 4.9.9 released
- 2003-06-19: Interchange 4.9.8 released
- 2003-01-30: Interchange 4.8.7 released
- 2002-12-19: Interchange Documentation Wiki
- 2002-12-12: interchange.rtfm.info
- 2002-12-12: Interchange 4.9.5 Released
- 2002-12-02: Interchange 4.9.4 released
- 2002-11-14: Order Fulfillment: The E-Commerce Deal Breaker
- 2002-10-28: Interchange on front cover of Linux Magazine
- 2002-10-28: Some docs for Interchange 4.9
- 2002-10-26: Whither Red Hat?
- 2002-10-21: New web site look and feel, new server provider
- 2002-09-25: Interchange 4.9.3 Nightly Build Available
- 2002-08-18: Interchange 4.8.6 released — IMPORTANT upgrade
- 2002-07-22: Interchange 4.9.1 alpha released
- 2002-05-06: Interchange 4.8.5 released
- 2002-05-02: Interchange 4.8.4 patch
- 2002-04-30: Interchange 4.8.4 released
- 2001-12-04: Updates to the Developers Site
- 2001-11-28: Interchange Application Server WebCast
- 2001-11-28: Interchange 4.8.3 released
- 2001-11-19: WebTechniques reviews Red Hat E-Commerce Suite
- 2001-11-08: ZDNet Review of the Red Hat E-Commerce Suite
- 2001-10-16: Linux-Magazin (German) Interchange article
- 2001-09-24: Red Hat E-commerce Suite available for purchase
- 2001-09-20: IDC white paper on Red Hat e-commerce available
- 2001-09-20: Upcoming Webcast on Interchange
- 2001-09-19: Interchange 4.8.2 released
- 2001-08-14: Printed Interchange documentation available
- 2001-08-13: Interchange 4.8.1 released
- 2001-07-26: Interchange 4.7.7 beta released
- 2001-07-18: Interchange 4.7.6 beta released
- 2001-07-03: Development release of Interchange 4.7.5
- 2001-06-16: Development release of Interchange 4.7.4
- 2001-06-12: Development release of Interchange 4.7.3
- 2001-06-12: Interchange Training Classes
- 2001-05-10: Development release of Interchange 4.7.2
- 2001-04-17: Interchange 4.6.5 released
- 2001-04-01: Interchange 4.6.4 released
- 2001-03-28: Development release of Interchange 4.7.1
- 2001-03-19: About Interchange
- 2001-03-01: Interchange Surveys
- 2001-03-01: Interchange Tutorial
- 2001-02-09: Interchange 4.6.3 released
- 2001-02-08: Interchange 4.6.2 released
- 2001-02-06: Red Hat Acquires Akopia and Interchange
- 2001-02-04: #interchange channel on IRC
- 2000-12-03: Interchange 4.6.1 released
- 2000-10-27: Interchange 4.6.0 released
- 2000-10-20: Interchange 4.5.8 beta released
- 2000-10-19: Overhauled documentation available
- 2000-10-06: Interchange 4.5.7 beta released
- 2000-09-26: Interchange 4.5.6 beta released
- 2000-08-10: Akopia Developer Resource site launched