[ic] Interchange security releases: 5.7.2, 5.6.2, 5.4.4

Rick Bragg lists at gmnet.net
Fri Sep 25 06:47:22 UTC 2009

On Fri, 2009-09-25 at 06:38 +0000, Rick Bragg wrote:
> On Sat, 2009-09-19 at 16:49 -0700, Peter wrote:
> > On 09/19/2009 04:20 PM, Grant wrote:
> > > I hope replying here is alright.  I'm trying to figure out if I'm
> > > vulnerable to this.  I don't use [search-region] or ActionMap at all.
> > > Does that exclude me?
> > 
> > No, you are vulnerable if you use a Standard or Foundation based
> > catalog.  You are vulnerable if you have a search results page that
> > utilizes the Interchange standard search facilities anywhere, even if
> > you do not use it.  If you think you might be vulnerable you probably
> > are.  If you think you are not vulnerable then you still probably are.
> > 
> > I recommend this update for ... pretty much everyone.
> > 
> > 
> > Peter
> > 
> Thanks for this update, I have updated all my e-commerce catalogs with
> no problems at all except for one that is scheduled to go live on next
> Wednesday.  The countdown to bringing Montpelier live has started, and
> the city is like a mob scene, they will be banging on my door because it
> is already really late :) 
> Anyway, my issue is that I am using lots of new tables that I have build
> for "content management" and "social networking" purposes. I am using a
> search similar to the "search_box_smnall" and "advancedsearch" for much
> of the content, also I am usinig a "swish" search for pdf files.  The
> tables are somewhat private so I don't want to open them up in the
> "AllowRemoteSearch" config directive in catalog.cfg  
> Are there new ways to use these kinds of searches?  Or is there a
> temporary work-around that I can do for now?
> Thanks again, and please make the mob go away!
> Rick

Actually, I set it up so that all the people using the system are
logging into the affiliates database and nobody will be able to put ITL
anywhere in the site (except the planning department who I am letting do
anything anyway).  However, I will be letting the Clerk login to the
admin area ONLY for "orders".  So is it safe to open up these tables in
this case?  


This message has been scanned for viruses and
dangerous content by Green Mountain Network, and is
believed to be clean.

More information about the interchange-users mailing list