[ic] Interchange security releases: 5.7.2, 5.6.2, 5.4.4
Grant
emailgrant at gmail.com
Sun Sep 20 22:35:25 UTC 2009
>>>>>> I hope replying here is alright. I'm trying to figure out if I'm
>>>>>> vulnerable to this. I don't use [search-region] or ActionMap at all.
>>>>>> Does that exclude me?
>>>>>>
>>>>> No, you are vulnerable if you use a Standard or Foundation based
>>>>> catalog. You are vulnerable if you have a search results page that
>>>>> utilizes the Interchange standard search facilities anywhere, even if
>>>>> you do not use it. If you think you might be vulnerable you probably
>>>>> are. If you think you are not vulnerable then you still probably are.
>>>>>
>>>>> I recommend this update for ... pretty much everyone.
>>>>>
>>>>>
>>>>> Peter
>>>>>
>>>>>
>>>> I know somethings that have not been address, different language search,
>>>> like search in Chinese.
>>>> Also be able to run multiple stores.
>>> I don't think this update will affect language searches, but please do
>>> test it before upgrading your live site. I am very sure that it does
>>> not affect multiple stores as I have already run the upgrade for a
>>> client who has multiple catalogs running off of a single Interchange
>>> server and I'm sure I'm not the only one.
>>>
>>> That said, if you have multiple catalogs running under a single
>>> Interchange server and they are accessed by different people who should
>>> not have access to files from the other catalogs (or indeed from any
>>> other files on the server itself), then you should definitely perform
>>> this update because it also addresses a separate security vulnerability
>>> that allows any catalog to access all files which are accessible to the
>>> system user that the Interchange server is running under.
>>>
>>>
>>> Peter
>>
>> Can any web user view those files, or just a person logged into the server?
>
> Just people who have admin access to Interchange, or enough access to be
> able to inject ITL somewhere. Keep in mind that if someone can find a
> code injection vulnerability on one of your pages then this can be used
> to greatly increase what they can see and do. Basically it allows a
> user to bypass the NoAbsolute global configuration directive. Also this
> vulnerability allows write as well as read access to any files that the
> interch user can write.
>
>
> Peter
Thank you for the info.
- Grant
More information about the interchange-users
mailing list