[ic] Interchange security releases: 5.7.2, 5.6.2, 5.4.4

Grant emailgrant at gmail.com
Sun Sep 20 18:16:06 UTC 2009

>>>> I hope replying here is alright.  I'm trying to figure out if I'm
>>>> vulnerable to this.  I don't use [search-region] or ActionMap at all.
>>>> Does that exclude me?
>>> No, you are vulnerable if you use a Standard or Foundation based
>>> catalog.  You are vulnerable if you have a search results page that
>>> utilizes the Interchange standard search facilities anywhere, even if
>>> you do not use it.  If you think you might be vulnerable you probably
>>> are.  If you think you are not vulnerable then you still probably are.
>>> I recommend this update for ... pretty much everyone.
>>> Peter
>> I know somethings that have not been address, different language search,
>> like search in Chinese.
>> Also be able to run multiple stores.
> I don't think this update will affect language searches, but please do
> test it before upgrading your live site.  I am very sure that it does
> not affect multiple stores as I have already run the upgrade for a
> client who has multiple catalogs running off of a single Interchange
> server and I'm sure I'm not the only one.
> That said, if you have multiple catalogs running under a single
> Interchange server and they are accessed by different people who should
> not have access to files from the other catalogs (or indeed from any
> other files on the server itself), then you should definitely perform
> this update because it also addresses a separate security vulnerability
> that allows any catalog to access all files which are accessible to the
> system user that the Interchange server is running under.
> Peter

Can any web user view those files, or just a person logged into the server?

- Grant

More information about the interchange-users mailing list