[ic] Interchange security releases: 5.7.2, 5.6.2, 5.4.4

Grant emailgrant at gmail.com
Sun Sep 20 22:35:25 UTC 2009

>>>>>> I hope replying here is alright.  I'm trying to figure out if I'm
>>>>>> vulnerable to this.  I don't use [search-region] or ActionMap at all.
>>>>>> Does that exclude me?
>>>>> No, you are vulnerable if you use a Standard or Foundation based
>>>>> catalog.  You are vulnerable if you have a search results page that
>>>>> utilizes the Interchange standard search facilities anywhere, even if
>>>>> you do not use it.  If you think you might be vulnerable you probably
>>>>> are.  If you think you are not vulnerable then you still probably are.
>>>>> I recommend this update for ... pretty much everyone.
>>>>> Peter
>>>> I know somethings that have not been address, different language search,
>>>> like search in Chinese.
>>>> Also be able to run multiple stores.
>>> I don't think this update will affect language searches, but please do
>>> test it before upgrading your live site.  I am very sure that it does
>>> not affect multiple stores as I have already run the upgrade for a
>>> client who has multiple catalogs running off of a single Interchange
>>> server and I'm sure I'm not the only one.
>>> That said, if you have multiple catalogs running under a single
>>> Interchange server and they are accessed by different people who should
>>> not have access to files from the other catalogs (or indeed from any
>>> other files on the server itself), then you should definitely perform
>>> this update because it also addresses a separate security vulnerability
>>> that allows any catalog to access all files which are accessible to the
>>> system user that the Interchange server is running under.
>>> Peter
>> Can any web user view those files, or just a person logged into the server?
> Just people who have admin access to Interchange, or enough access to be
> able to inject ITL somewhere.  Keep in mind that if someone can find a
> code injection vulnerability on one of your pages then this can be used
> to greatly increase what they can see and do.  Basically it allows a
> user to bypass the NoAbsolute global configuration directive.  Also this
> vulnerability allows write as well as read access to any files that the
> interch user can write.
> Peter

Thank you for the info.

- Grant

More information about the interchange-users mailing list