[ic] Interchange security releases: 5.7.6, 5.6.3, 5.4.5

Grant emailgrant at gmail.com
Thu Mar 25 15:47:39 UTC 2010

> Today we are releasing three new versions of Interchange:
> * Interchange 5.7.6 is the latest development version representing all
> recent improvements and new features to increase developer efficiency
> and fix bugs.
> * Interchange 5.6.3 is the latest stable version which includes the most
> important changes backported to provide the most stability possible for
> those upgrading from versions 5.6.0, 5.6.1 or 5.6.2.
> * Interchange 5.4.5 is an update of the previous stable series of releases
> provided only to fix a serious security problem.
> All three releases close a potential HTTP response splitting
> vulnerability.  This type of vulnerability can have multiple impacts
> including cross site scripting, cross-user defacement, web cache
> poisoning, hijacking pages and browser cache poisoning.  More
> information about this type of attack vector can be found at
> http://www.securiteam.com/securityreviews/5WP0E2KFGK.html.
> Catalogs based on the standard demo are not known to be vulnerable
> out-of-the-box, but there is still the potential of the split response
> vulnerability impacting custom pages or functionalities.  In
> particular, if you have enabled either the BounceReferrals or
> BounceRobotSessionURL directives you may be vulnerable to this attack.
> To protect against exploits, we strongly recommend all public Interchange
> sites upgrade to the latest point release in the current series.
> The software and more detailed change logs are available here:
> http://ftp.icdevgroup.org/interchange/
> SHA1 hashes of the release files:
> da021e9dd71128a6faa88ed162c3b14c976260a1  interchange-5.7.6.tar.bz2
> a9c39ac51e5f317771c350ac409788602f18582b  interchange-5.7.6.tar.gz
> 8c184dab3a4156ff04f9166f793de430dbf0c77e  interchange-5.7.6.tar.xz
> 143a3164d58fc07e0fa0eafced522d7ac8c6fb94  interchange-5.6.3.tar.bz2
> 78635a51f9c66eaff875c789c99584ee6f0eacd6  interchange-5.6.3.tar.gz
> 88ee839353b313c7575701fbfea5f3a899788706  interchange-5.6.3.tar.xz
> a97ee14ef49d596324a5688a8e0b9564365b9a7f  interchange-5.4.5.tar.bz2
> a75aafbeba94cdf0c790b001576b80be99659a43  interchange-5.4.5.tar.gz
> 0039b2b19630c049ecdbf6f678be1f24dbca0a6f  interchange-5.4.5.tar.xz
> Detached PGP signatures signed by my key (id CE699D4E) are alongside
> each file for download and verification.
> Further information and links to documentation and the user discussion
> mailing list are at:
> http://www.icdevgroup.org/
> David Christensen
> Interchange Development Group

I read the securiteam.com link, and I'm wondering if there is any way
to close this vulnerability besides upgrading?  It sounds like
removing BounceReferrals and BounceRobotSessionURL directives is a
good first step.  What is it about a custom page that can make it

- Grant

More information about the interchange-users mailing list