[ic] Interchange security releases: 5.7.2, 5.6.2, 5.4.4

Peter peter at pajamian.dhs.org
Sun Sep 20 06:37:35 UTC 2009

On 09/19/2009 08:22 PM, Darnell wrote:
> Peter wrote:
>> On 09/19/2009 04:20 PM, Grant wrote:
>>> I hope replying here is alright.  I'm trying to figure out if I'm
>>> vulnerable to this.  I don't use [search-region] or ActionMap at all.
>>> Does that exclude me?
>> No, you are vulnerable if you use a Standard or Foundation based
>> catalog.  You are vulnerable if you have a search results page that
>> utilizes the Interchange standard search facilities anywhere, even if
>> you do not use it.  If you think you might be vulnerable you probably
>> are.  If you think you are not vulnerable then you still probably are.
>> I recommend this update for ... pretty much everyone.
>> Peter
> I know somethings that have not been address, different language search, 
> like search in Chinese.
> Also be able to run multiple stores.

I don't think this update will affect language searches, but please do
test it before upgrading your live site.  I am very sure that it does
not affect multiple stores as I have already run the upgrade for a
client who has multiple catalogs running off of a single Interchange
server and I'm sure I'm not the only one.

That said, if you have multiple catalogs running under a single
Interchange server and they are accessed by different people who should
not have access to files from the other catalogs (or indeed from any
other files on the server itself), then you should definitely perform
this update because it also addresses a separate security vulnerability
that allows any catalog to access all files which are accessible to the
system user that the Interchange server is running under.


More information about the interchange-users mailing list