[ic] IC-specific hacking attempt

Paul Jordan paul at gishnetwork.com
Sun Mar 28 18:40:27 EST 2004


Doug Alcorn [lathinet at yahoo.com] wrote:
> "Kevin Walsh" <kevin at cursor.biz> writes:
>
>> Doug Alcorn [lathinet at yahoo.com] wrote:
>>> I applied the patch and it half-way works.  It
>>> prevents the interpreting of the variable in the main
>>> body; however, the page still has the interpreted
>>> variable in the page title.
>>>
>> You are probably using @@MV_PREV_PAGE@@ instead of [subject] in
>> parts of your missing.html.  Either correct it to use [subject] or
>> upgrade to a version of Interchange that will trap attempts to
>> exploit the problems.  I suggest doing both.
>>
>> @@MV_PREV_PAGE@@ was patched some time ago.  A new version to cover
>> [subject] will be released soon.  It was about to be released anyway.
>
> I don't doubt what you say, I'm just having a hard
> time figuring out what to do about it.  I'm running
> Interchange 5.0.0-1 from Racke's personal debian
> archive.  I did a grep MV_PREV_PAGE in my catalog's
> pages directory with no hits.  What else can I change?


Actually, that is too far, grep at catroot, as it is in
special_pages/missing.html, not pages/.

Things like this cannot be avoided all the time, that is why it is imperitive
to make an effort to keep senstive clear data off a web server entirely.

http://www.icdevgroup.org/pipermail/interchange-users/2003-March/032105.html

(Note: AuthorizeNet no longer allows cc numbers to be downloaded in the clear).

Paul






More information about the interchange-users mailing list