[ic] Critical security patch for Interchange 4.8.x

Mike Heins mike at perusion.com
Tue Dec 16 13:17:40 EST 2003


There has been a security hole found in Interchange 4.8.x, and it may
also apply to early Interchange 4.9 series systems. Interchange 5.0
is not vulnerable in the default foundation, but it can be vulnerable
when @@MV_PREV_PAGE@@ is placed in a reachable page. This could be
the case when an Interchange 4.8 catalog was ported to 4.9 or 5.0.

If exploited, the hole can cause arbitrary ITL execution on the system,
and puts your data at risk of loss or compromise.

Interchange 4.8.8 has been released, and it fixes the problem.
It should be a very low-risk update for anything after Interchange
4.8.4.

Tar is at:

    http://ftp.icdevgroup.org/interchange/4.8/tar/interchange-4.8.8.tar.gz

RPMS at:

    http://ftp.icdevgroup.org/interchange/4.8/rpm/

To work around the problem without updating, make sure you remove all
references to @@MV_PREV_PAGE@@ in all pages -- in the standard
foundation this is found in special_pages/missing.html and
special_pages/violation.html. It can be replaced with [subject]
if you have Interchange 4.8.3 or higher or any Interchage 4.9.

Interchange 4.8.8 has been released, and it fixes the problem.
It should be a very low-risk update for anything after Interchange
4.8.4.

-- 
Mike Heins
Perusion -- Expert Interchange Consulting    http://www.perusion.com/
phone +1.765.647.1295      <mike at perusion.com>

Some people have twenty years of experience, some people have
one year of experience twenty times over. -- Anonymous


More information about the interchange-users mailing list