[ic] Interchange 4.6.3 and latest security patch

Bob Puff at NLE bob at nleaudio.com
Tue Apr 6 01:58:52 EDT 2004


I successfully applied the patch on a 4.6.3 box, but I had to do it by hand. 
Just look at the patch, look at the existing code.  It will make sense.  If
you need help, email me off list, and I'll send you the file.

Bob


---------- Original Message -----------
From: "Paul Jordan" <paul at gishnetwork.com>
To: <interchange-users at icdevgroup.org>
Sent: Mon, 5 Apr 2004 22:08:03 -0700
Subject: RE: [ic] Interchange 4.6.3 and latest security patch

> Bryan Zimmer [bryanz at gloryworks.com] wrote:
> > I'm running interchange 4.6.3 (shudder shudder) and can't easily
> > upgrade due to the logistics and time involved. I tried to patch
> > 4.6.3 to fix the security hole that was found yesterday but haven't
> > been successful. First I tried only replacing the code that was
> > changed in Vend.pm, which didn't work. Then I replaced the whole page
> > with the one from the latest distribution which seemed to work at
> > first. Only problem is when I go into the admin interface I can get
> > to the first page but as soon as I click on any links (for example to
> > go to the orders) I get a page that says "Error: Not authorized for
> > order administration. Contact administrator?" There's nothing
> > reported in any of the error.log files.
> >
> > Does anyone have any suggestions short of upgrading? Can some
> > Interchange God figure out how to eliminate the security hole from
> > 4.6.3?
> >
> > As a last resort, does anyone know if a catalog from 4.6.3 can be
> > dropped in to 5.0.1 without too many problems?
> 
> I've heard pre 4.8 -> 5 would present problems above the average user.
> 
> I know nothing about 4.6, but you can probably just strip out the 
> code from the missing.html file (which may have been in 
> special_pages/missing.html). That should prevent users from being 
> able to easily interpolate a var.
> 
> Also, the longer you wait, the more expensive an upgrade will be. 
> Just hire Mike, Kevin, Ed or Racke to do it, and be done with it.
> 
> Alternatively, it just may be easier to rebuild the site in 5.
> 
> Paul
> 
> _______________________________________________
> interchange-users mailing list
> interchange-users at icdevgroup.org
> http://www.icdevgroup.org/mailman/listinfo/interchange-users
------- End of Original Message -------



More information about the interchange-users mailing list