[ic] Important: Security flaw found in Interchange demo catalog.

Jonathan Clark jonc at webmaint.com
Thu Sep 22 18:02:59 EDT 2005


A security flaw has been discovered in the Interchange demo catalog which
allows an arbitary user to inject Interchange Tag Language (ITL) into the
forum/submit.html page. This affects catalogs built on the 'mike' demo and
the 'standard' demo included with Interchange from version 4.9.3
(development) and 5.0 (stable).

The Interchange Development Group recommends that all vulnerable catalogs
are immediately patched with the updated version of the forum/submit.html
file. Alternatively, if the forum feature is not being used, the page can
safely be removed. Whether or not the forum feature is being used, this page
should be patched or removed.

Updated releases of Interchange: 5.0.2 and 5.2.1 are available, RPM versions
will follow.

http://ftp.icdevgroup.org/interchange/5.0/tar/
http://ftp.icdevgroup.org/interchange/5.2/tar/

The daily build will be updated as of 23 September.


Jonathan Clark
on behalf of ICDEVGROUP.



More information about the interchange-users mailing list