Skip to main content.

Interchange News

  • Interchange security releases: 5.7.6, 5.6.3, 5.4.5

    Posted on March 24, 2010 by David Christensen

    Today we are releasing three new versions of Interchange:

    • Interchange 5.7.6 is the latest development version representing all recent improvements and new features to increase developer efficiency and fix bugs.
    • Interchange 5.6.3 is the latest stable version which includes the most important changes backported to provide the most stability possible for those upgrading from versions 5.6.0, 5.6.1 or 5.6.2.
    • Interchange 5.4.5 is an update of the previous stable series of releases provided only to fix a serious security problem.
    • All three releases close a potential HTTP response splitting vulnerability. This type of vulnerability can have multiple impacts including cross site scripting, cross-user defacement, web cache poisoning, hijacking pages and browser cache poisoning. More information about this type of attack vector can be found at http://www.securiteam.com/securityreviews/5WP0E2KFGK.html.

      Catalogs based on the standard demo are not known to be vulnerable out-of-the-box, but there is still the potential of the split response vulnerability impacting custom pages or functionalities. In particular, if you have enabled either the BounceReferrals or BounceRobotSessionURL directives you may be vulnerable to this attack.

      To protect against exploits, we strongly recommend all public Interchange sites upgrade to the latest point release in the current series.

News archive