[ic] Important: Security flaw found in Interchange demo catalog.

Jonathan Clark jonc at webmaint.com
Thu Sep 22 18:28:33 EDT 2005


> A security flaw has been discovered in the Interchange demo catalog which
> allows an arbitary user to inject Interchange Tag Language (ITL) into the
> forum/submit.html page. This affects catalogs built on the 'mike' demo and
> the 'standard' demo included with Interchange from version 4.9.3
> (development) and 5.0 (stable).

This also includes the 'foundation' demo for the above versions.

Here's the patch from Mike Heins, if you would like to manually apply:

rev 1.4, prev_rev 1.3
Index: submit.html
===================================================================
RCS file: /var/cvs/interchange/dist/standard/pages/forum/submit.html,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- submit.html	4 Jun 2005 05:49:40 -0000	1.3
+++ submit.html	22 Sep 2005 16:59:07 -0000	1.4
@@ -48,13 +48,16 @@
 		my $noscrub;
 		if(! $type) {
 			# do nothing
+			$value =~ s/\[/[/g;
 		}
 		elsif($type eq '2') {
 			$value = $Tag->filter('text2html', $value);
+			$value =~ s/\[/[/g;
 		}
 		elsif($type eq '4') {
 			unless ($value =~ m{</\s*xmp\s*>}i) {
 				$noscrub = 1;
+				$value =~ s/\[//g;
 				$value = "<XMP>$value</XMP>";
 			}
 		}
@@ -77,7 +80,9 @@
 	<table>
 	<tr>
 	<td bgcolor="#eeeeee">
-	<B>[cgi name=subject filter=restrict_html]<br>
+	[restrict enable=cgi]
+	<B>[cgi name=subject filter="restrict_html"]<br>
+	[/restrict]
 	by [either][value fname][or]Guest user[/either] on [convert-date fmt="%A,
%B %e, %Y @%H:%M"][/convert-date]<B>
 	</td>
 	</tr>




Jonathan.


--
Jonathan Clark
Managing Director,
Webmaint.com   - Building Clever Websites        http://www.webmaint.com
Webmaint.net   - Business Web Hosting            http://www.webmaint.net
Cartridge SAVE - Printer Consumables Online
http://www.cartridgesave.co.uk
WireTel        - Internet Connectivity Solutions http://www.wiretel.net



More information about the interchange-users mailing list