Skip to main content.

Interchange News

  • Security flaw found in Interchange demo

    Posted on 23-Sep-2005 by Jonathan Clark

    A security flaw has been discovered in the Interchange demo catalog which allows an arbitary user to inject Interchange Tag Language (ITL) into the forum/submit.html page. This affects catalogs built on the ‘mike’, ‘standard’, or ‘foundation’ demo included with Interchange from version 4.9.3 (development) and 5.0 (stable). Two vulnerability database entries cover this: CVE-2005-3072 and CVE-2005-3073.

    The Interchange Development Group recommends that all vulnerable catalogs are immediately patched with the updated version of the forum/submit.html file. Alternatively, if the forum feature is not being used, the page can safely be removed. Whether or not the forum feature is being used, this page should be patched or removed.

    Updated releases of Interchange: 5.0.2 and 5.2.1 are available, RPM versions will follow.

    The nightly build now also includes the fix.

News archive