[ic] Interchange 4.6.3 and latest security patch

Bryan Zimmer bryanz at gloryworks.com
Mon Apr 5 23:46:34 EDT 2004 

I'm running interchange 4.6.3 (shudder shudder) and can't easily upgrade due
to the logistics and time involved. I tried to patch 4.6.3 to fix the
security hole that was found yesterday but haven't been successful. First I
tried only replacing the code that was changed in Vend.pm, which didn't
work. Then I replaced the whole page with the one from the latest
distribution which seemed to work at first. Only problem is when I go into
the admin interface I can get to the first page but as soon as I click on
any links (for example to go to the orders) I get a page that says "Error:
Not authorized for order administration. Contact administrator?" There's
nothing reported in any of the error.log files.

Does anyone have any suggestions short of upgrading? Can some Interchange
God figure out how to eliminate the security hole from 4.6.3?

As a last resort, does anyone know if a catalog from 4.6.3 can be dropped in
to 5.0.1 without too many problems?

Here's the code from the 4.6.3 version of Page.pm that would get patched if
the patched worked with 4.6.3:

sub display_special_page {
    my($name, $subject) = @_;
    my($page);


        $subject = $subject || 'unspecified error';


    $page = readin($name);
    die ::get_locale_message(412, "Missing special page: %s\n", $name)
                unless defined $page;
    $page =~ s#\[subject\]#$subject#ig;
    return ::response(::interpolate_html($page, 1));
}

sub display_page {
    my($name) = @_;
    my($page);


        $name = $CGI::values{mv_nextpage} unless $name;
#::logDebug("display_page: $name");
        if($Vend::Cfg->{ExtraSecure} and
                $Vend::Cfg->{AlwaysSecure}->{$name}
                and !$CGI::secure) {
                $name = find_special_page('violation');
        }


    $page = readin($name);
# TRACK
        if (defined $page) {
                $Vend::Track->view_page($name);
        }
# END TRACK


        # Try for on-the-fly if not there
        if(! defined $page) {
                $page = Vend::Interpolate::fly_page($name);
        }


    if (defined $page) {
                ::response(::interpolate_html($page, 1));
                return 1;
    }
        else {
                display_special_page(find_special_page('missing'), $name);
                return 0;
    }
}

More information about the interchange-users mailing list