[ic] IMPORTANT: Workaround for IC problem

Mike Heins interchange-users@icdevgroup.org
Sun Aug 11 10:39:01 2002


Dear All,

There was a serious security problem found with all versions of
Interchange and Minivend. It allows reading of arbitrary files that
can be read by the Interchange/Minivend user ID.

There is a workaround that is immediately effective:

* Move or remove the "doc" directory, if it exists in the Interchange
  software directory.

    mv INTERCHANGE_ROOT/doc INTERCHANGE_ROOT/unsafe

  i.e. if your Minivend or Interchange is installed at 
  /usr/local/interchange, it would be:

    mv /usr/local/interchange/doc /usr/local/interchange/unsafe

  That immediately closes the hole. Normally the only contents of
  the directory are some man pages.
 
There will be patched versions available soon which solve the problem
completely.

We strongly urge all Interchange and Minivend users to implement this 
immediately for the safety of their systems and customer data.

In addition, we recommend that if you don't need INET mode that
you disable it. In addition it would be wise to close port 7786
on the internet side of your firewall.

Best Regards,
Mike Heins

for ICDEVGROUP

-- 
Mike Heins
Perusion -- Expert Interchange Consulting    http://www.perusion.com/
phone +1.513.523.7621      <mike@perusion.com>

Few blame themselves until they have exhausted all other possibilities.
 -- anonymous