[ic] Interchange 4.6.3 and latest security patch

[Paul Jordan]

Bryan Zimmer [bryanz at gloryworks.com] wrote:
> I'm running interchange 4.6.3 (shudder shudder) and can't easily
> upgrade due to the logistics and time involved. I tried to patch
> 4.6.3 to fix the security hole that was found yesterday but haven't
> been successful. First I tried only replacing the code that was
> changed in Vend.pm, which didn't work. Then I replaced the whole page
> with the one from the latest distribution which seemed to work at
> first. Only problem is when I go into the admin interface I can get
> to the first page but as soon as I click on any links (for example to
> go to the orders) I get a page that says "Error: Not authorized for
> order administration. Contact administrator?" There's nothing
> reported in any of the error.log files.
>
> Does anyone have any suggestions short of upgrading? Can some
> Interchange God figure out how to eliminate the security hole from
> 4.6.3?
>
> As a last resort, does anyone know if a catalog from 4.6.3 can be
> dropped in to 5.0.1 without too many problems?


I've heard pre 4.8 -> 5 would present problems above the average user.

I know nothing about 4.6, but you can probably just strip out the code from the
missing.html file (which may have been in special_pages/missing.html). That
should prevent users from being able to easily interpolate a var.

Also, the longer you wait, the more expensive an upgrade will be. Just hire
Mike, Kevin, Ed or Racke to do it, and be done with it.

Alternatively, it just may be easier to rebuild the site in 5.

Paul