[ic] Interchange security releases: 5.7.2, 5.6.2, 5.4.4

Peter peter at pajamian.dhs.org
Sun Sep 20 21:05:06 UTC 2009


On 09/20/2009 11:10 AM, Grant wrote:
>>> I hope replying here is alright.  I'm trying to figure out if I'm
>>> vulnerable to this.  I don't use [search-region] or ActionMap at all.
>>> Does that exclude me?
>> No, you are vulnerable if you use a Standard or Foundation based
>> catalog.  You are vulnerable if you have a search results page that
>> utilizes the Interchange standard search facilities anywhere, even if
>> you do not use it.  If you think you might be vulnerable you probably
>> are.  If you think you are not vulnerable then you still probably are.
>>
>> I recommend this update for ... pretty much everyone.
>>
>>
>> Peter
> 
> I don't use a Standard or Foundation based catalog, and my search
> results pages are completely home-brewed within IC.  None of the raw
> search parameters appear in the URL ever.  I do use [loop
> search="..."][/loop] within my pages, but I don't know if that counts
> as "standard search facilities" and I don't see how that could be
> manipulated.

In that case chances are you are safe from this vulnerability, but I'm
not bout to make any guarantees.  If you want to be safe do the upgrade.


Peter




More information about the interchange-users mailing list