[ic] Security Problem in Interchange
jon at endpoint.com
Mon Mar 29 10:51:43 EST 2004
On Mon, 29 Mar 2004, Barry Treahy, Jr. wrote:
> >All versions of Interchange (4.8.x, 5.0.x, 5.1.x) contain a security hole
> >which allows an attacker to expose arbitrary variable contents by using
> >an URL like http://shop.example.com/cgi-bin/store/__SQLUSER__.
> >All Interchange applications using the standard "missing" special page
> >from the demo catalog or a similar one are vulnerable to this attack.
> >The attacker may learn the SQL access information for your Interchange
> >application and use this information to read and manipulate sensitive
> >Attached are patches for the following Interchange versions:
> >4.8.x: Page-4.8.diff
> I manually applied this patch to the 4.8.6 system I have running,
> restarted IC, flushed my browser cache and still seeing the same
> results... any thoughts?
I believe this is because earlier versions of 4.8.x had a missing.html
that used [tmp]...[/tmp] to set the page name, which causes
reinterpolation of the variable. That was changed for 4.8.8 in December.
The safest thing to do is remove all @@MV_PREV_PAGE@@ and [subject] from
your missing.html, especially if you're using an older version of IC and
may not have applied other security patches before this one.
More information about the interchange-users