[ic] Security Problem in Interchange
Grant
emailgrant123b at yahoo.com
Mon Mar 29 14:11:55 EST 2004
--- Jon Jensen <jon at endpoint.com> wrote:
> On Mon, 29 Mar 2004, Barry Treahy, Jr. wrote:
>
> > >All versions of Interchange (4.8.x, 5.0.x, 5.1.x)
> contain a security hole
> > >which allows an attacker to expose arbitrary
> variable contents by using
> > >an URL like
> http://shop.example.com/cgi-bin/store/__SQLUSER__.
> > >
> > >All Interchange applications using the standard
> "missing" special page
> > >from the demo catalog or a similar one are
> vulnerable to this attack.
> > >The attacker may learn the SQL access information
> for your Interchange
> > >application and use this information to read and
> manipulate sensitive
> > >data.
> > >
> > >Attached are patches for the following
> Interchange versions:
> > >
> > >4.8.x: Page-4.8.diff
> > >
> > >
> > I manually applied this patch to the 4.8.6 system
> I have running,
> > restarted IC, flushed my browser cache and still
> seeing the same
> > results... any thoughts?
>
> I believe this is because earlier versions of 4.8.x
> had a missing.html
> that used [tmp]...[/tmp] to set the page name, which
> causes
> reinterpolation of the variable. That was changed
> for 4.8.8 in December.
>
> The safest thing to do is remove all
> @@MV_PREV_PAGE@@ and [subject] from
> your missing.html, especially if you're using an
> older version of IC and
> may not have applied other security patches before
> this one.
>
> Jon
So I am safe without the patch if I don't use
@@MV_PREV_PAGE@@ and [subject] at all?
- Grant
__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html
More information about the interchange-users
mailing list