[ic] Interchange security releases: 5.7.2, 5.6.2, 5.4.4

Fri Sep 25 06:54:56 UTC 2009

> -----Original Message-----
> From: interchange-users-bounces at icdevgroup.org [mailto:interchange-
> users-bounces at icdevgroup.org] On Behalf Of Rick Bragg
> Sent: Friday, September 25, 2009 9:47 AM
> To: interchange-users at icdevgroup.org
> Subject: Re: [ic] Interchange security releases: 5.7.2, 5.6.2, 5.4.4
> 
> On Fri, 2009-09-25 at 06:38 +0000, Rick Bragg wrote:
> > On Sat, 2009-09-19 at 16:49 -0700, Peter wrote:
> > > On 09/19/2009 04:20 PM, Grant wrote:
> > > > I hope replying here is alright.  I'm trying to figure out if I'm
> > > > vulnerable to this.  I don't use [search-region] or ActionMap at
> all.
> > > > Does that exclude me?
> > >
> > > No, you are vulnerable if you use a Standard or Foundation based
> > > catalog.  You are vulnerable if you have a search results page that
> > > utilizes the Interchange standard search facilities anywhere, even
> if
> > > you do not use it.  If you think you might be vulnerable you
> probably
> > > are.  If you think you are not vulnerable then you still probably
> are.
> > >
> > > I recommend this update for ... pretty much everyone.
> > >
> > >
> > > Peter
> > >
> >
> > Thanks for this update, I have updated all my e-commerce catalogs
> with
> > no problems at all except for one that is scheduled to go live on
> next
> > Wednesday.  The countdown to bringing Montpelier live has started,
> and
> > the city is like a mob scene, they will be banging on my door because
> it
> > is already really late :)
> >
> > Anyway, my issue is that I am using lots of new tables that I have
> build
> > for "content management" and "social networking" purposes. I am using
> a
> > search similar to the "search_box_smnall" and "advancedsearch" for
> much
> > of the content, also I am usinig a "swish" search for pdf files.  The
> > tables are somewhat private so I don't want to open them up in the
> > "AllowRemoteSearch" config directive in catalog.cfg
> >
> > Are there new ways to use these kinds of searches?  Or is there a
> > temporary work-around that I can do for now?
> >
> > Thanks again, and please make the mob go away!
> > Rick
> >
> 
> Actually, I set it up so that all the people using the system are
> logging into the affiliates database and nobody will be able to put ITL
> anywhere in the site (except the planning department who I am letting
> do
> anything anyway).  However, I will be letting the Clerk login to the
> admin area ONLY for "orders".  So is it safe to open up these tables in
> this case?
> 
> Rick
> 

You can allow tables temporarily via something like:
push(@{$Config->{AllowRemoteSearch}},'TABLE');

Not sure if that will help you or how safe this is for your situation ... 
So don't send the Montpelier mob after me if it's not working out ;)

CU,

Gert