[interchange-cvs] interchange - racke modified WHATSNEW

interchange-cvs at icdevgroup.org interchange-cvs at icdevgroup.org
Mon Mar 29 04:36:27 EST 2004


User:      racke
Date:      2004-03-29 09:36:26 GMT
Modified:  .        WHATSNEW
Log:
added latest security patch, added a new security section

Revision  Changes    Path
2.200     +26 -4     interchange/WHATSNEW


rev 2.200, prev_rev 2.199
Index: WHATSNEW
===================================================================
RCS file: /anon_cvs/repository/interchange/WHATSNEW,v
retrieving revision 2.199
retrieving revision 2.200
diff -u -r2.199 -r2.200
--- WHATSNEW	26 Mar 2004 22:43:12 -0000	2.199
+++ WHATSNEW	29 Mar 2004 09:36:26 -0000	2.200
@@ -6,7 +6,32 @@
 ------------------------------------------------------------------------------
 
 
-Interchange 5.1.0 not yet released.
+Interchange 5.1.0 released 2004-03-29.
+
+Security
+--------
+
+* Plug a security hole which allows an attacker to expose arbitrary variable 
+  contents by using an URL like 
+  http://shop.example.com/cgi-bin/store/__SQLUSER__. 
+
+  All Interchange applications using the standard "missing" special page
+  from the demo catalog or a similar one are vulnerable to this attack.
+  The attacker may learn the SQL access information for your Interchange
+  application and use this information to read and manipulate sensitive
+  data.
+
+* Disallow [ and < in page names when setting MV_PAGE and MV_PREV_PAGE
+  variables.
+
+* Prevent login information from getting re-saved on a session cancel.
+
+* Define a set of CGI keys that we don't want to save to disk, as
+  @Global::HideCGI.
+
+* Don't show sensitive (i.e. @Global::HideCGI) CGI variables in a dump.
+  This allows saving a session to disk for diagnositic purposes in case
+  of order failure.
 
 Core
 ----
@@ -16,9 +41,6 @@
   attachment vs. inline is now controlled by attach_only attribute
   for [tag mime ...]. Demo'd with encrypted credit card attachment
   in etc/report.
-
-* Disallow [ and < in page names when setting MV_PAGE and MV_PREV_PAGE
-  variables.
 
 * Move mv_nextpage fallback before security check.
 








More information about the interchange-cvs mailing list