[ic] Important: Security flaw found in Interchange demo catalog.
Jonathan Clark
jonc at webmaint.com
Thu Sep 22 18:28:33 EDT 2005
> A security flaw has been discovered in the Interchange demo catalog which
> allows an arbitary user to inject Interchange Tag Language (ITL) into the
> forum/submit.html page. This affects catalogs built on the 'mike' demo and
> the 'standard' demo included with Interchange from version 4.9.3
> (development) and 5.0 (stable).
This also includes the 'foundation' demo for the above versions.
Here's the patch from Mike Heins, if you would like to manually apply:
rev 1.4, prev_rev 1.3
Index: submit.html
===================================================================
RCS file: /var/cvs/interchange/dist/standard/pages/forum/submit.html,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- submit.html 4 Jun 2005 05:49:40 -0000 1.3
+++ submit.html 22 Sep 2005 16:59:07 -0000 1.4
@@ -48,13 +48,16 @@
my $noscrub;
if(! $type) {
# do nothing
+ $value =~ s/\[/[/g;
}
elsif($type eq '2') {
$value = $Tag->filter('text2html', $value);
+ $value =~ s/\[/[/g;
}
elsif($type eq '4') {
unless ($value =~ m{</\s*xmp\s*>}i) {
$noscrub = 1;
+ $value =~ s/\[//g;
$value = "<XMP>$value</XMP>";
}
}
@@ -77,7 +80,9 @@
<table>
<tr>
<td bgcolor="#eeeeee">
- <B>[cgi name=subject filter=restrict_html]<br>
+ [restrict enable=cgi]
+ <B>[cgi name=subject filter="restrict_html"]<br>
+ [/restrict]
by [either][value fname][or]Guest user[/either] on [convert-date fmt="%A,
%B %e, %Y @%H:%M"][/convert-date]<B>
</td>
</tr>
Jonathan.
--
Jonathan Clark
Managing Director,
Webmaint.com - Building Clever Websites http://www.webmaint.com
Webmaint.net - Business Web Hosting http://www.webmaint.net
Cartridge SAVE - Printer Consumables Online
http://www.cartridgesave.co.uk
WireTel - Internet Connectivity Solutions http://www.wiretel.net
More information about the interchange-users
mailing list