[ic] Interchange security releases: 5.7.2, 5.6.2, 5.4.4

Curt Hauge ic_support at mnwebdesign.com
Sun Sep 20 16:58:23 UTC 2009


I apologize for that outburst, it was meant to be a test reply to another
email.

Curt


> -----Original Message-----
> From: interchange-users-bounces at icdevgroup.org
> [mailto:interchange-users-bounces at icdevgroup.org]On Behalf Of Curt Hauge
> Sent: Sunday, September 20, 2009 10:46 AM
> To: interchange-users at icdevgroup.org
> Subject: Re: [ic] Interchange security releases: 5.7.2, 5.6.2, 5.4.4
>
>
> hello
>

>
> > -----Original Message-----
> > From: interchange-users-bounces at icdevgroup.org
> > [mailto:interchange-users-bounces at icdevgroup.org]On Behalf Of Jon Jensen
> > Sent: Thursday, September 17, 2009 5:02 PM
> > To: interchange-announce at icdevgroup.org;
> > interchange-users at icdevgroup.org
> > Subject: [ic] Interchange security releases: 5.7.2, 5.6.2, 5.4.4
> >
> >
> > Today we are releasing three new versions of Interchange:
> >
> > * Interchange 5.7.2 is the latest development version representing 10
> > months of improvements and an impressive list of new features to improve
> > developer efficiency and fix bugs.
> >
> > * Interchange 5.6.2 is the latest stable version which includes the most
> > important changes backported to provide the most stability possible for
> > those upgrading from versions 5.6.0 or 5.6.1.
> >
> > * Interchange 5.4.4 is an update of the previous stable series of
> > releases
> > provided only to fix a serious security problem.
> >
> > All three releases provide a new security feature to close a serious
> > security vulnerability which we will describe here in detail:
> >
> > A remotely exploitable security vulnerability has been discovered where
> > any table configured within Interchange could be viewed remotely by an
> > unauthenticated user, by using a specially crafted search request.
> >
> > This vulnerability affects all previous versions of Interchange. Even
> > without using the search structure provided in the default install, your
> > catalog could still be vulnerable.
> >
> > To protect against exploits, we strongly recommend all public
> Interchange
> > sites upgrade and use the new configuration directive AllowRemoteSearch.
> >
> > AllowRemoteSearch limits what database tables are remotely
> searchable and
> > should be specified in each catalog configuration. It defaults
> > to:
> >
> >      AllowRemoteSearch products variants options
> >
> > Any table specified in this option will be remotely searchable, and you
> > should not permit any table with sensitive information to be searched in
> > this way. You should carefully consider the implications of adding any
> > further tables to this configuration option.
> >
> > Remote searches may have been used by your existing catalog.
> These should
> > continue working without any changes as long as they only search tables
> > that are permitted by the AllowRemoteSearch directive. You should
> > carefully examine your catalog for uses of the search form action, or
> > pages which submit a form to a page called search or scan. If
> > they specify
> > a search file other than products, variants, or options, you should
> > consider rewriting that page to just accept the search terms via CGI
> > parameters, and not the entire search. Please consult the
> > documentation on
> > in-page searches:
> >
> > http://www.icdevgroup.org/doc/icdatabase.html#In-Page%20Searches
> >
> > If your catalog makes use of ActionMaps that perform searches, these
> > should continue to work as intended as long as they search a
> > table allowed
> > by AllowRemoteSearch. However, you should consider updating them to use
> > the new "search" tag. For example, an existing ActionMap that performs a
> > search like this:
> >
> >      ActionMap old_cat <<EOR
> >      sub {
> >           my ($action, $class) = split('/', shift);
> >
> >           $class =~ s/_/ /g;
> >
> >           # Originally, search parameters were placed in the CGI hash.
> >           $CGI->{co} = 1;
> >           $CGI->{fi} = 'products';
> >           $CGI->{st} = 'db';
> >           $CGI->{sf} = 'category';
> >           $CGI->{se} = "$class";
> >           $CGI->{sp} = 'results';
> >           $CGI->{tf} = 'category,description:f';
> >           $CGI->{op} = 'eq';
> >
> >           $CGI->{mv_todo} = 'search';
> >           $CGI->{mv_nextpage} = 'results';
> >           # And the "update" tag was called to re-evaluate the page with
> >           # the provided search parameters.
> >           $Tag->update('process');
> >           return 1;
> >      }
> >      EOR
> >
> > Would be updated to instead look like this:
> >
> >      ActionMap new_cat <<EOR
> >      sub {
> >           my ($action, $class) = split('/', shift);
> >
> >           $class =~ s/_/ /g;
> >
> >           # Now, you must create a hash to hold the search parameters.
> >           my $search;
> >           $search->{co} = 1;
> >           $search->{fi} = 'products';
> >           $search->{st} = 'db';
> >           $search->{sf} = 'category';
> >           $search->{se} = "$class";
> >           $search->{sp} = 'results';
> >           $search->{tf} = 'category,description:f';
> >           $search->{op} = "eq";
> >
> >           $CGI->{mv_nextpage} = 'results';
> >           # And call the new search tag, which isn't subject to the
> >           # AllowRemoteSearch restrictions.
> >           $Tag->search({ search => $search });
> >
> >           return 1;
> >      }
> >      EOR
> >
> > If you are using a modern version of the standard catalog as the basis
> > for your catalog, there is a special subroutine that provides friendly
> > URLs for product categories, but is not a traditional ActionMap. Similar
> > to the example above, you will need to alter your catalog.cfg, replacing
> > the entire Sub ncheck_category with:
> >
> > Sub ncheck_category <<EOS
> > sub {
> >      my ($name) = @_;
> >      return unless $name =~ m{^[A-Z]};
> >      $name =~ s,_, ,g;
> >      my ($prod_group, $category) = split m{/}, $name;
> >
> >      my $search;
> >      $search->{co} = 1;
> >      $search->{fi} = 'products';
> >      $search->{st} = 'db';
> >      $search->{sf} = join "\0", 'prod_group', 'category';
> >      $search->{op} = join "\0", 'eq', 'eq';
> >      $search->{se} = join "\0", $prod_group, $category;
> >      $search->{sp} = 'results';
> >      $search->{mv_todo} = 'search';
> >      $Tag->search({ search => $search });
> >      if (($o = $Search->{''}) && @{$o->{mv_results}}) {
> >          return (1,  $Config->{Special}->{results});
> >      }
> >
> >      return;
> > }
> > EOS
> >
> > In the standard and foundation catalogs, the "lost password"
> feature makes
> > use of the remote search feature to be able to retrieve lost
> passwords. We
> > recommend that you delete catalog/pages/query/get_password.html
> from your
> > catalog, and replace catalog/pages/query/lost_password.html with an
> > updated version from one of these new releases. As an
> alternative, you may
> > apply the following patch to your existing file:
> >
> > --- a/dist/standard/pages/query/get_password.html
> > +++ b/dist/standard/pages/query/get_password.html
> > @@ -32,8 +32,10 @@ ui_template_name: leftonly
> >          if( $Scratch->{tried_pw_retrieve}++ > 10 ) {
> >                  return "No way, Jos&eacute;. Too many times.";
> >          }
> >       $CGI->{mv_todo} = 'search';
> >          $Config->{NoSearch} = '';
> > +       push(@{$Config->{AllowRemoteSearch}},'userdb');
> > +       return;
> >   [/perl]
> >   [update process]
> >   [search-region]
> >
> > This is not a recommended solution, and is only a workaround
> until you can
> > consider the changes in the updated lost password page.
> >
> > We thank Mark Lipscombe for finding and fixing this
> vulnerability and for
> > his other contributions to these releases.
> >
> > The software and more detailed change logs are available here:
> >
> > http://ftp.icdevgroup.org/interchange/
> >
> > SHA1 hashes of the release files:
> >
> > 4975ab7779d52347aba571681e0238c3ef923136  interchange-5.7.2.tar.bz2
> > dd5c46e3047f6c57495263b265615c0814d0416d  interchange-5.7.2.tar.gz
> >
> > e64cdb2317c6c7d5cfe01cddcda0c6a4c9e070d2  interchange-5.6.2.tar.bz2
> > ced5a8b8c6821456cef76ca0d45e635853fc1757  interchange-5.6.2.tar.gz
> >
> > 49fb93c90e7b9705b7484f6e64f443600956dbf8  interchange-5.4.4.tar.bz2
> > bc0978607242db6685d12bb6f2227054f072d707  interchange-5.4.4.tar.gz
> >
> > Detached PGP signatures signed by my key (id DCCAC084) are alongside
> > each file for download and verification.
> >
> > Further information and links to documentation and the user discussion
> > mailing list are at:
> >
> > http://www.icdevgroup.org/
> >
> > Jon Jensen
> > Interchange Development Group
> >
> > _______________________________________________
> > interchange-users mailing list
> > interchange-users at icdevgroup.org
> > http://www.icdevgroup.org/mailman/listinfo/interchange-users
>
>
> _______________________________________________
> interchange-users mailing list
> interchange-users at icdevgroup.org
> http://www.icdevgroup.org/mailman/listinfo/interchange-users




More information about the interchange-users mailing list