[ic] Interchange security releases: 5.7.2, 5.6.2, 5.4.4
peter at pajamian.dhs.org
Sun Sep 20 21:09:45 UTC 2009
On 09/20/2009 11:16 AM, Grant wrote:
>>>>> I hope replying here is alright. I'm trying to figure out if I'm
>>>>> vulnerable to this. I don't use [search-region] or ActionMap at all.
>>>>> Does that exclude me?
>>>> No, you are vulnerable if you use a Standard or Foundation based
>>>> catalog. You are vulnerable if you have a search results page that
>>>> utilizes the Interchange standard search facilities anywhere, even if
>>>> you do not use it. If you think you might be vulnerable you probably
>>>> are. If you think you are not vulnerable then you still probably are.
>>>> I recommend this update for ... pretty much everyone.
>>> I know somethings that have not been address, different language search,
>>> like search in Chinese.
>>> Also be able to run multiple stores.
>> I don't think this update will affect language searches, but please do
>> test it before upgrading your live site. I am very sure that it does
>> not affect multiple stores as I have already run the upgrade for a
>> client who has multiple catalogs running off of a single Interchange
>> server and I'm sure I'm not the only one.
>> That said, if you have multiple catalogs running under a single
>> Interchange server and they are accessed by different people who should
>> not have access to files from the other catalogs (or indeed from any
>> other files on the server itself), then you should definitely perform
>> this update because it also addresses a separate security vulnerability
>> that allows any catalog to access all files which are accessible to the
>> system user that the Interchange server is running under.
> Can any web user view those files, or just a person logged into the server?
Just people who have admin access to Interchange, or enough access to be
able to inject ITL somewhere. Keep in mind that if someone can find a
code injection vulnerability on one of your pages then this can be used
to greatly increase what they can see and do. Basically it allows a
user to bypass the NoAbsolute global configuration directive. Also this
vulnerability allows write as well as read access to any files that the
interch user can write.
More information about the interchange-users