Mailing List Archive: Interchange: users

Interchange security releases: 5.7.2, 5.6.2, 5.4.4

Index | Next | Previous | View Threaded

jon at endpoint

Sep 17, 2009, 3:02 PM

Post #1 of 25 (2799 views)
Permalink

Interchange security releases: 5.7.2, 5.6.2, 5.4.4

Today we are releasing three new versions of Interchange:

* Interchange 5.7.2 is the latest development version representing 10
months of improvements and an impressive list of new features to improve
developer efficiency and fix bugs.

* Interchange 5.6.2 is the latest stable version which includes the most
important changes backported to provide the most stability possible for
those upgrading from versions 5.6.0 or 5.6.1.

* Interchange 5.4.4 is an update of the previous stable series of releases
provided only to fix a serious security problem.

All three releases provide a new security feature to close a serious
security vulnerability which we will describe here in detail:

A remotely exploitable security vulnerability has been discovered where
any table configured within Interchange could be viewed remotely by an
unauthenticated user, by using a specially crafted search request.

This vulnerability affects all previous versions of Interchange. Even
without using the search structure provided in the default install, your
catalog could still be vulnerable.

To protect against exploits, we strongly recommend all public Interchange
sites upgrade and use the new configuration directive AllowRemoteSearch.

AllowRemoteSearch limits what database tables are remotely searchable and
should be specified in each catalog configuration. It defaults
to:

AllowRemoteSearch products variants options

Any table specified in this option will be remotely searchable, and you
should not permit any table with sensitive information to be searched in
this way. You should carefully consider the implications of adding any
further tables to this configuration option.

Remote searches may have been used by your existing catalog. These should
continue working without any changes as long as they only search tables
that are permitted by the AllowRemoteSearch directive. You should
carefully examine your catalog for uses of the search form action, or
pages which submit a form to a page called search or scan. If they specify
a search file other than products, variants, or options, you should
consider rewriting that page to just accept the search terms via CGI
parameters, and not the entire search. Please consult the documentation on
in-page searches:

http://www.icdevgroup.org/doc/icdatabase.html#In-Page%20Searches

If your catalog makes use of ActionMaps that perform searches, these
should continue to work as intended as long as they search a table allowed
by AllowRemoteSearch. However, you should consider updating them to use
the new "search" tag. For example, an existing ActionMap that performs a
search like this:

ActionMap old_cat <<EOR
sub {
my ($action, $class) = split('/', shift);

$class =~ s/_/ /g;

# Originally, search parameters were placed in the CGI hash.
$CGI->{co} = 1;
$CGI->{fi} = 'products';
$CGI->{st} = 'db';
$CGI->{sf} = 'category';
$CGI->{se} = "$class";
$CGI->{sp} = 'results';
$CGI->{tf} = 'category,description:f';
$CGI->{op} = 'eq';

$CGI->{mv_todo} = 'search';
$CGI->{mv_nextpage} = 'results';
# And the "update" tag was called to re-evaluate the page with
# the provided search parameters.
$Tag->update('process');
return 1;
}
EOR

Would be updated to instead look like this:

ActionMap new_cat <<EOR
sub {
my ($action, $class) = split('/', shift);

$class =~ s/_/ /g;

# Now, you must create a hash to hold the search parameters.
my $search;
$search->{co} = 1;
$search->{fi} = 'products';
$search->{st} = 'db';
$search->{sf} = 'category';
$search->{se} = "$class";
$search->{sp} = 'results';
$search->{tf} = 'category,description:f';
$search->{op} = "eq";

$CGI->{mv_nextpage} = 'results';
# And call the new search tag, which isn't subject to the
# AllowRemoteSearch restrictions.
$Tag->search({ search => $search });

return 1;
}
EOR

If you are using a modern version of the standard catalog as the basis
for your catalog, there is a special subroutine that provides friendly
URLs for product categories, but is not a traditional ActionMap. Similar
to the example above, you will need to alter your catalog.cfg, replacing
the entire Sub ncheck_category with:

Sub ncheck_category <<EOS
sub {
my ($name) = @_;
return unless $name =~ m{^[A-Z]};
$name =~ s,_, ,g;
my ($prod_group, $category) = split m{/}, $name;

my $search;
$search->{co} = 1;
$search->{fi} = 'products';
$search->{st} = 'db';
$search->{sf} = join "\0", 'prod_group', 'category';
$search->{op} = join "\0", 'eq', 'eq';
$search->{se} = join "\0", $prod_group, $category;
$search->{sp} = 'results';
$search->{mv_todo} = 'search';
$Tag->search({ search => $search });
if (($o = $Search->{''}) && @{$o->{mv_results}}) {
return (1, $Config->{Special}->{results});
}

return;
}
EOS

In the standard and foundation catalogs, the "lost password" feature makes
use of the remote search feature to be able to retrieve lost passwords. We
recommend that you delete catalog/pages/query/get_password.html from your
catalog, and replace catalog/pages/query/lost_password.html with an
updated version from one of these new releases. As an alternative, you may
apply the following patch to your existing file:

--- a/dist/standard/pages/query/get_password.html
+++ b/dist/standard/pages/query/get_password.html
@@ -32,8 +32,10 @@ ui_template_name: leftonly
if( $Scratch->{tried_pw_retrieve}++ > 10 ) {
return "No way, José. Too many times.";
}
$CGI->{mv_todo} = 'search';
$Config->{NoSearch} = '';
+ push(@{$Config->{AllowRemoteSearch}},'userdb');
+ return;
[/perl]
[update process]
[search-region]

This is not a recommended solution, and is only a workaround until you can
consider the changes in the updated lost password page.

We thank Mark Lipscombe for finding and fixing this vulnerability and for
his other contributions to these releases.

The software and more detailed change logs are available here:

http://ftp.icdevgroup.org/interchange/

SHA1 hashes of the release files:

4975ab7779d52347aba571681e0238c3ef923136 interchange-5.7.2.tar.bz2
dd5c46e3047f6c57495263b265615c0814d0416d interchange-5.7.2.tar.gz

e64cdb2317c6c7d5cfe01cddcda0c6a4c9e070d2 interchange-5.6.2.tar.bz2
ced5a8b8c6821456cef76ca0d45e635853fc1757 interchange-5.6.2.tar.gz

49fb93c90e7b9705b7484f6e64f443600956dbf8 interchange-5.4.4.tar.bz2
bc0978607242db6685d12bb6f2227054f072d707 interchange-5.4.4.tar.gz

Detached PGP signatures signed by my key (id DCCAC084) are alongside
each file for download and verification.

Further information and links to documentation and the user discussion
mailing list are at:

http://www.icdevgroup.org/

Jon Jensen
Interchange Development Group

_______________________________________________
interchange-users mailing list
interchange-users [at] icdevgroup
http://www.icdevgroup.org/mailman/listinfo/interchange-users

emailgrant at gmail

Sep 19, 2009, 4:20 PM

Post #2 of 25 (2730 views)
Permalink

Re: Interchange security releases: 5.7.2, 5.6.2, 5.4.4 [In reply to]

> Today we are releasing three new versions of Interchange:
>
> * Interchange 5.7.2 is the latest development version representing 10
> months of improvements and an impressive list of new features to improve
> developer efficiency and fix bugs.
>
> * Interchange 5.6.2 is the latest stable version which includes the most
> important changes backported to provide the most stability possible for
> those upgrading from versions 5.6.0 or 5.6.1.
>
> * Interchange 5.4.4 is an update of the previous stable series of releases
> provided only to fix a serious security problem.
>
> All three releases provide a new security feature to close a serious
> security vulnerability which we will describe here in detail:
>
> A remotely exploitable security vulnerability has been discovered where
> any table configured within Interchange could be viewed remotely by an
> unauthenticated user, by using a specially crafted search request.
>
> This vulnerability affects all previous versions of Interchange. Even
> without using the search structure provided in the default install, your
> catalog could still be vulnerable.
>
> To protect against exploits, we strongly recommend all public Interchange
> sites upgrade and use the new configuration directive AllowRemoteSearch.
>
> AllowRemoteSearch limits what database tables are remotely searchable and
> should be specified in each catalog configuration. It defaults
> to:
>
> � � AllowRemoteSearch products variants options
>
> Any table specified in this option will be remotely searchable, and you
> should not permit any table with sensitive information to be searched in
> this way. You should carefully consider the implications of adding any
> further tables to this configuration option.
>
> Remote searches may have been used by your existing catalog. These should
> continue working without any changes as long as they only search tables
> that are permitted by the AllowRemoteSearch directive. You should
> carefully examine your catalog for uses of the search form action, or
> pages which submit a form to a page called search or scan. If they specify
> a search file other than products, variants, or options, you should
> consider rewriting that page to just accept the search terms via CGI
> parameters, and not the entire search. Please consult the documentation on
> in-page searches:
>
> http://www.icdevgroup.org/doc/icdatabase.html#In-Page%20Searches
>
> If your catalog makes use of ActionMaps that perform searches, these
> should continue to work as intended as long as they search a table allowed
> by AllowRemoteSearch. However, you should consider updating them to use
> the new "search" tag. For example, an existing ActionMap that performs a
> search like this:
>
> � � ActionMap old_cat <<EOR
> � � sub {
> � � � � �my ($action, $class) = split('/', shift);
>
> � � � � �$class =~ s/_/ /g;
>
> � � � � �# Originally, search parameters were placed in the CGI hash.
> � � � � �$CGI->{co} = 1;
> � � � � �$CGI->{fi} = 'products';
> � � � � �$CGI->{st} = 'db';
> � � � � �$CGI->{sf} = 'category';
> � � � � �$CGI->{se} = "$class";
> � � � � �$CGI->{sp} = 'results';
> � � � � �$CGI->{tf} = 'category,description:f';
> � � � � �$CGI->{op} = 'eq';
>
> � � � � �$CGI->{mv_todo} = 'search';
> � � � � �$CGI->{mv_nextpage} = 'results';
> � � � � �# And the "update" tag was called to re-evaluate the page with
> � � � � �# the provided search parameters.
> � � � � �$Tag->update('process');
> � � � � �return 1;
> � � }
> � � EOR
>
> Would be updated to instead look like this:
>
> � � ActionMap new_cat <<EOR
> � � sub {
> � � � � �my ($action, $class) = split('/', shift);
>
> � � � � �$class =~ s/_/ /g;
>
> � � � � �# Now, you must create a hash to hold the search parameters.
> � � � � �my $search;
> � � � � �$search->{co} = 1;
> � � � � �$search->{fi} = 'products';
> � � � � �$search->{st} = 'db';
> � � � � �$search->{sf} = 'category';
> � � � � �$search->{se} = "$class";
> � � � � �$search->{sp} = 'results';
> � � � � �$search->{tf} = 'category,description:f';
> � � � � �$search->{op} = "eq";
>
> � � � � �$CGI->{mv_nextpage} = 'results';
> � � � � �# And call the new search tag, which isn't subject to the
> � � � � �# AllowRemoteSearch restrictions.
> � � � � �$Tag->search({ search => $search });
>
> � � � � �return 1;
> � � }
> � � EOR
>
> If you are using a modern version of the standard catalog as the basis
> for your catalog, there is a special subroutine that provides friendly
> URLs for product categories, but is not a traditional ActionMap. Similar
> to the example above, you will need to alter your catalog.cfg, replacing
> the entire Sub ncheck_category with:
>
> Sub ncheck_category <<EOS
> sub {
> � � my ($name) = @_;
> � � return unless $name =~ m{^[A-Z]};
> � � $name =~ s,_, ,g;
> � � my ($prod_group, $category) = split m{/}, $name;
>
> � � my $search;
> � � $search->{co} = 1;
> � � $search->{fi} = 'products';
> � � $search->{st} = 'db';
> � � $search->{sf} = join "\0", 'prod_group', 'category';
> � � $search->{op} = join "\0", 'eq', 'eq';
> � � $search->{se} = join "\0", $prod_group, $category;
> � � $search->{sp} = 'results';
> � � $search->{mv_todo} = 'search';
> � � $Tag->search({ search => $search });
> � � if (($o = $Search->{''}) && @{$o->{mv_results}}) {
> � � � � return (1, �$Config->{Special}->{results});
> � � }
>
> � � return;
> }
> EOS
>
> In the standard and foundation catalogs, the "lost password" feature makes
> use of the remote search feature to be able to retrieve lost passwords. We
> recommend that you delete catalog/pages/query/get_password.html from your
> catalog, and replace catalog/pages/query/lost_password.html with an
> updated version from one of these new releases. As an alternative, you may
> apply the following patch to your existing file:
>
> --- a/dist/standard/pages/query/get_password.html
> +++ b/dist/standard/pages/query/get_password.html
> @@ -32,8 +32,10 @@ ui_template_name: leftonly
> � � � � if( $Scratch->{tried_pw_retrieve}++ > 10 ) {
> � � � � � � � � return "No way, José. Too many times.";
> � � � � }
> � � �$CGI->{mv_todo} = 'search';
> � � � � $Config->{NoSearch} = '';
> + � � � push(@{$Config->{AllowRemoteSearch}},'userdb');
> + � � � return;
> �[/perl]
> �[update process]
> �[search-region]
>
> This is not a recommended solution, and is only a workaround until you can
> consider the changes in the updated lost password page.
>
> We thank Mark Lipscombe for finding and fixing this vulnerability and for
> his other contributions to these releases.
>
> The software and more detailed change logs are available here:
>
> http://ftp.icdevgroup.org/interchange/
>
> SHA1 hashes of the release files:
>
> 4975ab7779d52347aba571681e0238c3ef923136 �interchange-5.7.2.tar.bz2
> dd5c46e3047f6c57495263b265615c0814d0416d �interchange-5.7.2.tar.gz
>
> e64cdb2317c6c7d5cfe01cddcda0c6a4c9e070d2 �interchange-5.6.2.tar.bz2
> ced5a8b8c6821456cef76ca0d45e635853fc1757 �interchange-5.6.2.tar.gz
>
> 49fb93c90e7b9705b7484f6e64f443600956dbf8 �interchange-5.4.4.tar.bz2
> bc0978607242db6685d12bb6f2227054f072d707 �interchange-5.4.4.tar.gz
>
> Detached PGP signatures signed by my key (id DCCAC084) are alongside
> each file for download and verification.
>
> Further information and links to documentation and the user discussion
> mailing list are at:
>
> http://www.icdevgroup.org/
>
> Jon Jensen
> Interchange Development Group

I hope replying here is alright. I'm trying to figure out if I'm
vulnerable to this. I don't use [search-region] or ActionMap at all.
Does that exclude me?

- Grant

_______________________________________________
interchange-users mailing list
interchange-users [at] icdevgroup
http://www.icdevgroup.org/mailman/listinfo/interchange-users

peter at pajamian

Sep 19, 2009, 4:49 PM

Post #3 of 25 (2731 views)
Permalink

Re: Interchange security releases: 5.7.2, 5.6.2, 5.4.4 [In reply to]

On 09/19/2009 04:20 PM, Grant wrote:
> I hope replying here is alright. I'm trying to figure out if I'm
> vulnerable to this. I don't use [search-region] or ActionMap at all.
> Does that exclude me?

No, you are vulnerable if you use a Standard or Foundation based
catalog. You are vulnerable if you have a search results page that
utilizes the Interchange standard search facilities anywhere, even if
you do not use it. If you think you might be vulnerable you probably
are. If you think you are not vulnerable then you still probably are.

I recommend this update for ... pretty much everyone.

Peter

_______________________________________________
interchange-users mailing list
interchange-users [at] icdevgroup
http://www.icdevgroup.org/mailman/listinfo/interchange-users

hudsondarnell43 at verizon

Sep 19, 2009, 8:22 PM

Post #4 of 25 (2729 views)
Permalink

Re: Interchange security releases: 5.7.2, 5.6.2, 5.4.4 [In reply to]

Peter wrote:
> On 09/19/2009 04:20 PM, Grant wrote:
>
>> I hope replying here is alright. I'm trying to figure out if I'm
>> vulnerable to this. I don't use [search-region] or ActionMap at all.
>> Does that exclude me?
>>
>
> No, you are vulnerable if you use a Standard or Foundation based
> catalog. You are vulnerable if you have a search results page that
> utilizes the Interchange standard search facilities anywhere, even if
> you do not use it. If you think you might be vulnerable you probably
> are. If you think you are not vulnerable then you still probably are.
>
> I recommend this update for ... pretty much everyone.
>
>
> Peter
>
>
I know somethings that have not been address, different language search,
like search in Chinese.
Also be able to run multiple stores.
> _______________________________________________
> interchange-users mailing list
> interchange-users [at] icdevgroup
> http://www.icdevgroup.org/mailman/listinfo/interchange-users
>
>

_______________________________________________
interchange-users mailing list
interchange-users [at] icdevgroup
http://www.icdevgroup.org/mailman/listinfo/interchange-users

peter at pajamian

Sep 19, 2009, 11:37 PM

Post #5 of 25 (2739 views)
Permalink

Re: Interchange security releases: 5.7.2, 5.6.2, 5.4.4 [In reply to]

On 09/19/2009 08:22 PM, Darnell wrote:
> Peter wrote:
>> On 09/19/2009 04:20 PM, Grant wrote:
>>
>>> I hope replying here is alright. I'm trying to figure out if I'm
>>> vulnerable to this. I don't use [search-region] or ActionMap at all.
>>> Does that exclude me?
>>>
>> No, you are vulnerable if you use a Standard or Foundation based
>> catalog. You are vulnerable if you have a search results page that
>> utilizes the Interchange standard search facilities anywhere, even if
>> you do not use it. If you think you might be vulnerable you probably
>> are. If you think you are not vulnerable then you still probably are.
>>
>> I recommend this update for ... pretty much everyone.
>>
>>
>> Peter
>>
>>
> I know somethings that have not been address, different language search,
> like search in Chinese.
> Also be able to run multiple stores.

I don't think this update will affect language searches, but please do
test it before upgrading your live site. I am very sure that it does
not affect multiple stores as I have already run the upgrade for a
client who has multiple catalogs running off of a single Interchange
server and I'm sure I'm not the only one.

That said, if you have multiple catalogs running under a single
Interchange server and they are accessed by different people who should
not have access to files from the other catalogs (or indeed from any
other files on the server itself), then you should definitely perform
this update because it also addresses a separate security vulnerability
that allows any catalog to access all files which are accessible to the
system user that the Interchange server is running under.

Peter

_______________________________________________
interchange-users mailing list
interchange-users [at] icdevgroup
http://www.icdevgroup.org/mailman/listinfo/interchange-users

m.mescoli at omnib

Sep 20, 2009, 1:59 AM

Post #6 of 25 (2730 views)
Permalink

Re: Interchange security releases: 5.7.2, 5.6.2, 5.4.4 [In reply to]

Peter ha scritto:
> On 09/19/2009 08:22 PM, Darnell wrote:
>> Peter wrote:
>>> On 09/19/2009 04:20 PM, Grant wrote:
>>>
>>>> I hope replying here is alright. I'm trying to figure out if I'm
>>>> vulnerable to this. I don't use [search-region] or ActionMap at all.
>>>> Does that exclude me?
>>>>
>>> No, you are vulnerable if you use a Standard or Foundation based
>>> catalog. You are vulnerable if you have a search results page that
>>> utilizes the Interchange standard search facilities anywhere, even if
>>> you do not use it. If you think you might be vulnerable you probably
>>> are. If you think you are not vulnerable then you still probably are.
>>>
>>> I recommend this update for ... pretty much everyone.
>>>
>>>
>>> Peter
>>>
>>>
>> I know somethings that have not been address, different language search,
>> like search in Chinese.
>> Also be able to run multiple stores.
>
> I don't think this update will affect language searches, but please do
> test it before upgrading your live site. I am very sure that it does
> not affect multiple stores as I have already run the upgrade for a
> client who has multiple catalogs running off of a single Interchange
> server and I'm sure I'm not the only one.
>
> That said, if you have multiple catalogs running under a single
> Interchange server and they are accessed by different people who should
> not have access to files from the other catalogs (or indeed from any
> other files on the server itself), then you should definitely perform
> this update because it also addresses a separate security vulnerability
> that allows any catalog to access all files which are accessible to the
> system user that the Interchange server is running under.
>
>
> Peter
In my develop server i have quickly updated more catalogs from 5.6.0 to
5.6.2 without any little problem. Test will continue ...

--
Marco "Fino alla bara sinpara"
Marco "Up to demise we rise"

_______________________________________________
interchange-users mailing list
interchange-users [at] icdevgroup
http://www.icdevgroup.org/mailman/listinfo/interchange-users

ic_support at mnwebdesign

Sep 20, 2009, 8:45 AM

Post #7 of 25 (2723 views)
Permalink

Re: Interchange security releases: 5.7.2, 5.6.2, 5.4.4 [In reply to]

hello

Curt Hauge
Office 763-689-4984
Cell 612-598-5530
www.IWantAConsultant.com
www.MNWebDesign.com

> -----Original Message-----
> From: interchange-users-bounces [at] icdevgroup
> [mailto:interchange-users-bounces [at] icdevgroup]On Behalf Of Jon Jensen
> Sent: Thursday, September 17, 2009 5:02 PM
> To: interchange-announce [at] icdevgroup;
> interchange-users [at] icdevgroup
> Subject: [ic] Interchange security releases: 5.7.2, 5.6.2, 5.4.4
>
>
> Today we are releasing three new versions of Interchange:
>
> * Interchange 5.7.2 is the latest development version representing 10
> months of improvements and an impressive list of new features to improve
> developer efficiency and fix bugs.
>
> * Interchange 5.6.2 is the latest stable version which includes the most
> important changes backported to provide the most stability possible for
> those upgrading from versions 5.6.0 or 5.6.1.
>
> * Interchange 5.4.4 is an update of the previous stable series of
> releases
> provided only to fix a serious security problem.
>
> All three releases provide a new security feature to close a serious
> security vulnerability which we will describe here in detail:
>
> A remotely exploitable security vulnerability has been discovered where
> any table configured within Interchange could be viewed remotely by an
> unauthenticated user, by using a specially crafted search request.
>
> This vulnerability affects all previous versions of Interchange. Even
> without using the search structure provided in the default install, your
> catalog could still be vulnerable.
>
> To protect against exploits, we strongly recommend all public Interchange
> sites upgrade and use the new configuration directive AllowRemoteSearch.
>
> AllowRemoteSearch limits what database tables are remotely searchable and
> should be specified in each catalog configuration. It defaults
> to:
>
> AllowRemoteSearch products variants options
>
> Any table specified in this option will be remotely searchable, and you
> should not permit any table with sensitive information to be searched in
> this way. You should carefully consider the implications of adding any
> further tables to this configuration option.
>
> Remote searches may have been used by your existing catalog. These should
> continue working without any changes as long as they only search tables
> that are permitted by the AllowRemoteSearch directive. You should
> carefully examine your catalog for uses of the search form action, or
> pages which submit a form to a page called search or scan. If
> they specify
> a search file other than products, variants, or options, you should
> consider rewriting that page to just accept the search terms via CGI
> parameters, and not the entire search. Please consult the
> documentation on
> in-page searches:
>
> http://www.icdevgroup.org/doc/icdatabase.html#In-Page%20Searches
>
> If your catalog makes use of ActionMaps that perform searches, these
> should continue to work as intended as long as they search a
> table allowed
> by AllowRemoteSearch. However, you should consider updating them to use
> the new "search" tag. For example, an existing ActionMap that performs a
> search like this:
>
> ActionMap old_cat <<EOR
> sub {
> my ($action, $class) = split('/', shift);
>
> $class =~ s/_/ /g;
>
> # Originally, search parameters were placed in the CGI hash.
> $CGI->{co} = 1;
> $CGI->{fi} = 'products';
> $CGI->{st} = 'db';
> $CGI->{sf} = 'category';
> $CGI->{se} = "$class";
> $CGI->{sp} = 'results';
> $CGI->{tf} = 'category,description:f';
> $CGI->{op} = 'eq';
>
> $CGI->{mv_todo} = 'search';
> $CGI->{mv_nextpage} = 'results';
> # And the "update" tag was called to re-evaluate the page with
> # the provided search parameters.
> $Tag->update('process');
> return 1;
> }
> EOR
>
> Would be updated to instead look like this:
>
> ActionMap new_cat <<EOR
> sub {
> my ($action, $class) = split('/', shift);
>
> $class =~ s/_/ /g;
>
> # Now, you must create a hash to hold the search parameters.
> my $search;
> $search->{co} = 1;
> $search->{fi} = 'products';
> $search->{st} = 'db';
> $search->{sf} = 'category';
> $search->{se} = "$class";
> $search->{sp} = 'results';
> $search->{tf} = 'category,description:f';
> $search->{op} = "eq";
>
> $CGI->{mv_nextpage} = 'results';
> # And call the new search tag, which isn't subject to the
> # AllowRemoteSearch restrictions.
> $Tag->search({ search => $search });
>
> return 1;
> }
> EOR
>
> If you are using a modern version of the standard catalog as the basis
> for your catalog, there is a special subroutine that provides friendly
> URLs for product categories, but is not a traditional ActionMap. Similar
> to the example above, you will need to alter your catalog.cfg, replacing
> the entire Sub ncheck_category with:
>
> Sub ncheck_category <<EOS
> sub {
> my ($name) = @_;
> return unless $name =~ m{^[A-Z]};
> $name =~ s,_, ,g;
> my ($prod_group, $category) = split m{/}, $name;
>
> my $search;
> $search->{co} = 1;
> $search->{fi} = 'products';
> $search->{st} = 'db';
> $search->{sf} = join "\0", 'prod_group', 'category';
> $search->{op} = join "\0", 'eq', 'eq';
> $search->{se} = join "\0", $prod_group, $category;
> $search->{sp} = 'results';
> $search->{mv_todo} = 'search';
> $Tag->search({ search => $search });
> if (($o = $Search->{''}) && @{$o->{mv_results}}) {
> return (1, $Config->{Special}->{results});
> }
>
> return;
> }
> EOS
>
> In the standard and foundation catalogs, the "lost password" feature makes
> use of the remote search feature to be able to retrieve lost passwords. We
> recommend that you delete catalog/pages/query/get_password.html from your
> catalog, and replace catalog/pages/query/lost_password.html with an
> updated version from one of these new releases. As an alternative, you may
> apply the following patch to your existing file:
>
> --- a/dist/standard/pages/query/get_password.html
> +++ b/dist/standard/pages/query/get_password.html
> @@ -32,8 +32,10 @@ ui_template_name: leftonly
> if( $Scratch->{tried_pw_retrieve}++ > 10 ) {
> return "No way, José. Too many times.";
> }
> $CGI->{mv_todo} = 'search';
> $Config->{NoSearch} = '';
> + push(@{$Config->{AllowRemoteSearch}},'userdb');
> + return;
> [/perl]
> [update process]
> [search-region]
>
> This is not a recommended solution, and is only a workaround until you can
> consider the changes in the updated lost password page.
>
> We thank Mark Lipscombe for finding and fixing this vulnerability and for
> his other contributions to these releases.
>
> The software and more detailed change logs are available here:
>
> http://ftp.icdevgroup.org/interchange/
>
> SHA1 hashes of the release files:
>
> 4975ab7779d52347aba571681e0238c3ef923136 interchange-5.7.2.tar.bz2
> dd5c46e3047f6c57495263b265615c0814d0416d interchange-5.7.2.tar.gz
>
> e64cdb2317c6c7d5cfe01cddcda0c6a4c9e070d2 interchange-5.6.2.tar.bz2
> ced5a8b8c6821456cef76ca0d45e635853fc1757 interchange-5.6.2.tar.gz
>
> 49fb93c90e7b9705b7484f6e64f443600956dbf8 interchange-5.4.4.tar.bz2
> bc0978607242db6685d12bb6f2227054f072d707 interchange-5.4.4.tar.gz
>
> Detached PGP signatures signed by my key (id DCCAC084) are alongside
> each file for download and verification.
>
> Further information and links to documentation and the user discussion
> mailing list are at:
>
> http://www.icdevgroup.org/
>
> Jon Jensen
> Interchange Development Group
>
> _______________________________________________
> interchange-users mailing list
> interchange-users [at] icdevgroup
> http://www.icdevgroup.org/mailman/listinfo/interchange-users

_______________________________________________
interchange-users mailing list
interchange-users [at] icdevgroup
http://www.icdevgroup.org/mailman/listinfo/interchange-users

ic_support at mnwebdesign

Sep 20, 2009, 9:58 AM

Post #8 of 25 (2724 views)
Permalink

Re: Interchange security releases: 5.7.2, 5.6.2, 5.4.4 [In reply to]

I apologize for that outburst, it was meant to be a test reply to another
email.

Curt

> -----Original Message-----
> From: interchange-users-bounces [at] icdevgroup
> [mailto:interchange-users-bounces [at] icdevgroup]On Behalf Of Curt Hauge
> Sent: Sunday, September 20, 2009 10:46 AM
> To: interchange-users [at] icdevgroup
> Subject: Re: [ic] Interchange security releases: 5.7.2, 5.6.2, 5.4.4
>
>
> hello
>

>
> > -----Original Message-----
> > From: interchange-users-bounces [at] icdevgroup
> > [mailto:interchange-users-bounces [at] icdevgroup]On Behalf Of Jon Jensen
> > Sent: Thursday, September 17, 2009 5:02 PM
> > To: interchange-announce [at] icdevgroup;
> > interchange-users [at] icdevgroup
> > Subject: [ic] Interchange security releases: 5.7.2, 5.6.2, 5.4.4
> >
> >
> > Today we are releasing three new versions of Interchange:
> >
> > * Interchange 5.7.2 is the latest development version representing 10
> > months of improvements and an impressive list of new features to improve
> > developer efficiency and fix bugs.
> >
> > * Interchange 5.6.2 is the latest stable version which includes the most
> > important changes backported to provide the most stability possible for
> > those upgrading from versions 5.6.0 or 5.6.1.
> >
> > * Interchange 5.4.4 is an update of the previous stable series of
> > releases
> > provided only to fix a serious security problem.
> >
> > All three releases provide a new security feature to close a serious
> > security vulnerability which we will describe here in detail:
> >
> > A remotely exploitable security vulnerability has been discovered where
> > any table configured within Interchange could be viewed remotely by an
> > unauthenticated user, by using a specially crafted search request.
> >
> > This vulnerability affects all previous versions of Interchange. Even
> > without using the search structure provided in the default install, your
> > catalog could still be vulnerable.
> >
> > To protect against exploits, we strongly recommend all public
> Interchange
> > sites upgrade and use the new configuration directive AllowRemoteSearch.
> >
> > AllowRemoteSearch limits what database tables are remotely
> searchable and
> > should be specified in each catalog configuration. It defaults
> > to:
> >
> > AllowRemoteSearch products variants options
> >
> > Any table specified in this option will be remotely searchable, and you
> > should not permit any table with sensitive information to be searched in
> > this way. You should carefully consider the implications of adding any
> > further tables to this configuration option.
> >
> > Remote searches may have been used by your existing catalog.
> These should
> > continue working without any changes as long as they only search tables
> > that are permitted by the AllowRemoteSearch directive. You should
> > carefully examine your catalog for uses of the search form action, or
> > pages which submit a form to a page called search or scan. If
> > they specify
> > a search file other than products, variants, or options, you should
> > consider rewriting that page to just accept the search terms via CGI
> > parameters, and not the entire search. Please consult the
> > documentation on
> > in-page searches:
> >
> > http://www.icdevgroup.org/doc/icdatabase.html#In-Page%20Searches
> >
> > If your catalog makes use of ActionMaps that perform searches, these
> > should continue to work as intended as long as they search a
> > table allowed
> > by AllowRemoteSearch. However, you should consider updating them to use
> > the new "search" tag. For example, an existing ActionMap that performs a
> > search like this:
> >
> > ActionMap old_cat <<EOR
> > sub {
> > my ($action, $class) = split('/', shift);
> >
> > $class =~ s/_/ /g;
> >
> > # Originally, search parameters were placed in the CGI hash.
> > $CGI->{co} = 1;
> > $CGI->{fi} = 'products';
> > $CGI->{st} = 'db';
> > $CGI->{sf} = 'category';
> > $CGI->{se} = "$class";
> > $CGI->{sp} = 'results';
> > $CGI->{tf} = 'category,description:f';
> > $CGI->{op} = 'eq';
> >
> > $CGI->{mv_todo} = 'search';
> > $CGI->{mv_nextpage} = 'results';
> > # And the "update" tag was called to re-evaluate the page with
> > # the provided search parameters.
> > $Tag->update('process');
> > return 1;
> > }
> > EOR
> >
> > Would be updated to instead look like this:
> >
> > ActionMap new_cat <<EOR
> > sub {
> > my ($action, $class) = split('/', shift);
> >
> > $class =~ s/_/ /g;
> >
> > # Now, you must create a hash to hold the search parameters.
> > my $search;
> > $search->{co} = 1;
> > $search->{fi} = 'products';
> > $search->{st} = 'db';
> > $search->{sf} = 'category';
> > $search->{se} = "$class";
> > $search->{sp} = 'results';
> > $search->{tf} = 'category,description:f';
> > $search->{op} = "eq";
> >
> > $CGI->{mv_nextpage} = 'results';
> > # And call the new search tag, which isn't subject to the
> > # AllowRemoteSearch restrictions.
> > $Tag->search({ search => $search });
> >
> > return 1;
> > }
> > EOR
> >
> > If you are using a modern version of the standard catalog as the basis
> > for your catalog, there is a special subroutine that provides friendly
> > URLs for product categories, but is not a traditional ActionMap. Similar
> > to the example above, you will need to alter your catalog.cfg, replacing
> > the entire Sub ncheck_category with:
> >
> > Sub ncheck_category <<EOS
> > sub {
> > my ($name) = @_;
> > return unless $name =~ m{^[A-Z]};
> > $name =~ s,_, ,g;
> > my ($prod_group, $category) = split m{/}, $name;
> >
> > my $search;
> > $search->{co} = 1;
> > $search->{fi} = 'products';
> > $search->{st} = 'db';
> > $search->{sf} = join "\0", 'prod_group', 'category';
> > $search->{op} = join "\0", 'eq', 'eq';
> > $search->{se} = join "\0", $prod_group, $category;
> > $search->{sp} = 'results';
> > $search->{mv_todo} = 'search';
> > $Tag->search({ search => $search });
> > if (($o = $Search->{''}) && @{$o->{mv_results}}) {
> > return (1, $Config->{Special}->{results});
> > }
> >
> > return;
> > }
> > EOS
> >
> > In the standard and foundation catalogs, the "lost password"
> feature makes
> > use of the remote search feature to be able to retrieve lost
> passwords. We
> > recommend that you delete catalog/pages/query/get_password.html
> from your
> > catalog, and replace catalog/pages/query/lost_password.html with an
> > updated version from one of these new releases. As an
> alternative, you may
> > apply the following patch to your existing file:
> >
> > --- a/dist/standard/pages/query/get_password.html
> > +++ b/dist/standard/pages/query/get_password.html
> > @@ -32,8 +32,10 @@ ui_template_name: leftonly
> > if( $Scratch->{tried_pw_retrieve}++ > 10 ) {
> > return "No way, José. Too many times.";
> > }
> > $CGI->{mv_todo} = 'search';
> > $Config->{NoSearch} = '';
> > + push(@{$Config->{AllowRemoteSearch}},'userdb');
> > + return;
> > [/perl]
> > [update process]
> > [search-region]
> >
> > This is not a recommended solution, and is only a workaround
> until you can
> > consider the changes in the updated lost password page.
> >
> > We thank Mark Lipscombe for finding and fixing this
> vulnerability and for
> > his other contributions to these releases.
> >
> > The software and more detailed change logs are available here:
> >
> > http://ftp.icdevgroup.org/interchange/
> >
> > SHA1 hashes of the release files:
> >
> > 4975ab7779d52347aba571681e0238c3ef923136 interchange-5.7.2.tar.bz2
> > dd5c46e3047f6c57495263b265615c0814d0416d interchange-5.7.2.tar.gz
> >
> > e64cdb2317c6c7d5cfe01cddcda0c6a4c9e070d2 interchange-5.6.2.tar.bz2
> > ced5a8b8c6821456cef76ca0d45e635853fc1757 interchange-5.6.2.tar.gz
> >
> > 49fb93c90e7b9705b7484f6e64f443600956dbf8 interchange-5.4.4.tar.bz2
> > bc0978607242db6685d12bb6f2227054f072d707 interchange-5.4.4.tar.gz
> >
> > Detached PGP signatures signed by my key (id DCCAC084) are alongside
> > each file for download and verification.
> >
> > Further information and links to documentation and the user discussion
> > mailing list are at:
> >
> > http://www.icdevgroup.org/
> >
> > Jon Jensen
> > Interchange Development Group
> >
> > _______________________________________________
> > interchange-users mailing list
> > interchange-users [at] icdevgroup
> > http://www.icdevgroup.org/mailman/listinfo/interchange-users
>
>
> _______________________________________________
> interchange-users mailing list
> interchange-users [at] icdevgroup
> http://www.icdevgroup.org/mailman/listinfo/interchange-users

_______________________________________________
interchange-users mailing list
interchange-users [at] icdevgroup
http://www.icdevgroup.org/mailman/listinfo/interchange-users

emailgrant at gmail

Sep 20, 2009, 11:10 AM

Post #9 of 25 (2718 views)
Permalink

Re: Interchange security releases: 5.7.2, 5.6.2, 5.4.4 [In reply to]

>> I hope replying here is alright. �I'm trying to figure out if I'm
>> vulnerable to this. �I don't use [search-region] or ActionMap at all.
>> Does that exclude me?
>
> No, you are vulnerable if you use a Standard or Foundation based
> catalog. �You are vulnerable if you have a search results page that
> utilizes the Interchange standard search facilities anywhere, even if
> you do not use it. �If you think you might be vulnerable you probably
> are. �If you think you are not vulnerable then you still probably are.
>
> I recommend this update for ... pretty much everyone.
>
>
> Peter

I don't use a Standard or Foundation based catalog, and my search
results pages are completely home-brewed within IC. None of the raw
search parameters appear in the URL ever. I do use [loop
search="..."][/loop] within my pages, but I don't know if that counts
as "standard search facilities" and I don't see how that could be
manipulated.

- Grant

_______________________________________________
interchange-users mailing list
interchange-users [at] icdevgroup
http://www.icdevgroup.org/mailman/listinfo/interchange-users

emailgrant at gmail

Sep 20, 2009, 11:16 AM

Post #10 of 25 (2718 views)
Permalink

Re: Interchange security releases: 5.7.2, 5.6.2, 5.4.4 [In reply to]

>>>> I hope replying here is alright. �I'm trying to figure out if I'm
>>>> vulnerable to this. �I don't use [search-region] or ActionMap at all.
>>>> Does that exclude me?
>>>>
>>> No, you are vulnerable if you use a Standard or Foundation based
>>> catalog. �You are vulnerable if you have a search results page that
>>> utilizes the Interchange standard search facilities anywhere, even if
>>> you do not use it. �If you think you might be vulnerable you probably
>>> are. �If you think you are not vulnerable then you still probably are.
>>>
>>> I recommend this update for ... pretty much everyone.
>>>
>>>
>>> Peter
>>>
>>>
>> I know somethings that have not been address, different language search,
>> like search in Chinese.
>> Also be able to run multiple stores.
>
> I don't think this update will affect language searches, but please do
> test it before upgrading your live site. �I am very sure that it does
> not affect multiple stores as I have already run the upgrade for a
> client who has multiple catalogs running off of a single Interchange
> server and I'm sure I'm not the only one.
>
> That said, if you have multiple catalogs running under a single
> Interchange server and they are accessed by different people who should
> not have access to files from the other catalogs (or indeed from any
> other files on the server itself), then you should definitely perform
> this update because it also addresses a separate security vulnerability
> that allows any catalog to access all files which are accessible to the
> system user that the Interchange server is running under.
>
>
> Peter

Can any web user view those files, or just a person logged into the server?

- Grant

_______________________________________________
interchange-users mailing list
interchange-users [at] icdevgroup
http://www.icdevgroup.org/mailman/listinfo/interchange-users

peter at pajamian

Sep 20, 2009, 2:05 PM

Post #11 of 25 (2714 views)
Permalink

Re: Interchange security releases: 5.7.2, 5.6.2, 5.4.4 [In reply to]

On 09/20/2009 11:10 AM, Grant wrote:
>>> I hope replying here is alright. I'm trying to figure out if I'm
>>> vulnerable to this. I don't use [search-region] or ActionMap at all.
>>> Does that exclude me?
>> No, you are vulnerable if you use a Standard or Foundation based
>> catalog. You are vulnerable if you have a search results page that
>> utilizes the Interchange standard search facilities anywhere, even if
>> you do not use it. If you think you might be vulnerable you probably
>> are. If you think you are not vulnerable then you still probably are.
>>
>> I recommend this update for ... pretty much everyone.
>>
>>
>> Peter
>
> I don't use a Standard or Foundation based catalog, and my search
> results pages are completely home-brewed within IC. None of the raw
> search parameters appear in the URL ever. I do use [loop
> search="..."][/loop] within my pages, but I don't know if that counts
> as "standard search facilities" and I don't see how that could be
> manipulated.

In that case chances are you are safe from this vulnerability, but I'm
not bout to make any guarantees. If you want to be safe do the upgrade.

Peter

_______________________________________________
interchange-users mailing list
interchange-users [at] icdevgroup
http://www.icdevgroup.org/mailman/listinfo/interchange-users

peter at pajamian

Sep 20, 2009, 2:09 PM

Post #12 of 25 (2715 views)
Permalink

Re: Interchange security releases: 5.7.2, 5.6.2, 5.4.4 [In reply to]

On 09/20/2009 11:16 AM, Grant wrote:
>>>>> I hope replying here is alright. I'm trying to figure out if I'm
>>>>> vulnerable to this. I don't use [search-region] or ActionMap at all.
>>>>> Does that exclude me?
>>>>>
>>>> No, you are vulnerable if you use a Standard or Foundation based
>>>> catalog. You are vulnerable if you have a search results page that
>>>> utilizes the Interchange standard search facilities anywhere, even if
>>>> you do not use it. If you think you might be vulnerable you probably
>>>> are. If you think you are not vulnerable then you still probably are.
>>>>
>>>> I recommend this update for ... pretty much everyone.
>>>>
>>>>
>>>> Peter
>>>>
>>>>
>>> I know somethings that have not been address, different language search,
>>> like search in Chinese.
>>> Also be able to run multiple stores.
>> I don't think this update will affect language searches, but please do
>> test it before upgrading your live site. I am very sure that it does
>> not affect multiple stores as I have already run the upgrade for a
>> client who has multiple catalogs running off of a single Interchange
>> server and I'm sure I'm not the only one.
>>
>> That said, if you have multiple catalogs running under a single
>> Interchange server and they are accessed by different people who should
>> not have access to files from the other catalogs (or indeed from any
>> other files on the server itself), then you should definitely perform
>> this update because it also addresses a separate security vulnerability
>> that allows any catalog to access all files which are accessible to the
>> system user that the Interchange server is running under.
>>
>>
>> Peter
>
> Can any web user view those files, or just a person logged into the server?

Just people who have admin access to Interchange, or enough access to be
able to inject ITL somewhere. Keep in mind that if someone can find a
code injection vulnerability on one of your pages then this can be used
to greatly increase what they can see and do. Basically it allows a
user to bypass the NoAbsolute global configuration directive. Also this
vulnerability allows write as well as read access to any files that the
interch user can write.

Peter

_______________________________________________
interchange-users mailing list
interchange-users [at] icdevgroup
http://www.icdevgroup.org/mailman/listinfo/interchange-users

emailgrant at gmail

Sep 20, 2009, 3:35 PM

Post #13 of 25 (2719 views)
Permalink

Re: Interchange security releases: 5.7.2, 5.6.2, 5.4.4 [In reply to]

>>>>>> I hope replying here is alright. �I'm trying to figure out if I'm
>>>>>> vulnerable to this. �I don't use [search-region] or ActionMap at all.
>>>>>> Does that exclude me?
>>>>>>
>>>>> No, you are vulnerable if you use a Standard or Foundation based
>>>>> catalog. �You are vulnerable if you have a search results page that
>>>>> utilizes the Interchange standard search facilities anywhere, even if
>>>>> you do not use it. �If you think you might be vulnerable you probably
>>>>> are. �If you think you are not vulnerable then you still probably are.
>>>>>
>>>>> I recommend this update for ... pretty much everyone.
>>>>>
>>>>>
>>>>> Peter
>>>>>
>>>>>
>>>> I know somethings that have not been address, different language search,
>>>> like search in Chinese.
>>>> Also be able to run multiple stores.
>>> I don't think this update will affect language searches, but please do
>>> test it before upgrading your live site. �I am very sure that it does
>>> not affect multiple stores as I have already run the upgrade for a
>>> client who has multiple catalogs running off of a single Interchange
>>> server and I'm sure I'm not the only one.
>>>
>>> That said, if you have multiple catalogs running under a single
>>> Interchange server and they are accessed by different people who should
>>> not have access to files from the other catalogs (or indeed from any
>>> other files on the server itself), then you should definitely perform
>>> this update because it also addresses a separate security vulnerability
>>> that allows any catalog to access all files which are accessible to the
>>> system user that the Interchange server is running under.
>>>
>>>
>>> Peter
>>
>> Can any web user view those files, or just a person logged into the server?
>
> Just people who have admin access to Interchange, or enough access to be
> able to inject ITL somewhere. �Keep in mind that if someone can find a
> code injection vulnerability on one of your pages then this can be used
> to greatly increase what they can see and do. �Basically it allows a
> user to bypass the NoAbsolute global configuration directive. �Also this
> vulnerability allows write as well as read access to any files that the
> interch user can write.
>
>
> Peter

Thank you for the info.

- Grant

_______________________________________________
interchange-users mailing list
interchange-users [at] icdevgroup
http://www.icdevgroup.org/mailman/listinfo/interchange-users

lists at gmnet

Sep 24, 2009, 11:38 PM

Post #14 of 25 (2616 views)
Permalink

Re: Interchange security releases: 5.7.2, 5.6.2, 5.4.4 [In reply to]

On Sat, 2009-09-19 at 16:49 -0700, Peter wrote:
> On 09/19/2009 04:20 PM, Grant wrote:
> > I hope replying here is alright. I'm trying to figure out if I'm
> > vulnerable to this. I don't use [search-region] or ActionMap at all.
> > Does that exclude me?
>
> No, you are vulnerable if you use a Standard or Foundation based
> catalog. You are vulnerable if you have a search results page that
> utilizes the Interchange standard search facilities anywhere, even if
> you do not use it. If you think you might be vulnerable you probably
> are. If you think you are not vulnerable then you still probably are.
>
> I recommend this update for ... pretty much everyone.
>
>
> Peter
>

Thanks for this update, I have updated all my e-commerce catalogs with
no problems at all except for one that is scheduled to go live on next
Wednesday. The countdown to bringing Montpelier live has started, and
the city is like a mob scene, they will be banging on my door because it
is already really late :)

Anyway, my issue is that I am using lots of new tables that I have build
for "content management" and "social networking" purposes. I am using a
search similar to the "search_box_smnall" and "advancedsearch" for much
of the content, also I am usinig a "swish" search for pdf files. The
tables are somewhat private so I don't want to open them up in the
"AllowRemoteSearch" config directive in catalog.cfg

Are there new ways to use these kinds of searches? Or is there a
temporary work-around that I can do for now?

Thanks again, and please make the mob go away!
Rick

--
This message has been scanned for viruses and
dangerous content by Green Mountain Network, and is
believed to be clean.

_______________________________________________
interchange-users mailing list
interchange-users [at] icdevgroup
http://www.icdevgroup.org/mailman/listinfo/interchange-users

lists at gmnet

Sep 24, 2009, 11:47 PM

Post #15 of 25 (2616 views)
Permalink

Re: Interchange security releases: 5.7.2, 5.6.2, 5.4.4 [In reply to]

On Fri, 2009-09-25 at 06:38 +0000, Rick Bragg wrote:
> On Sat, 2009-09-19 at 16:49 -0700, Peter wrote:
> > On 09/19/2009 04:20 PM, Grant wrote:
> > > I hope replying here is alright. I'm trying to figure out if I'm
> > > vulnerable to this. I don't use [search-region] or ActionMap at all.
> > > Does that exclude me?
> >
> > No, you are vulnerable if you use a Standard or Foundation based
> > catalog. You are vulnerable if you have a search results page that
> > utilizes the Interchange standard search facilities anywhere, even if
> > you do not use it. If you think you might be vulnerable you probably
> > are. If you think you are not vulnerable then you still probably are.
> >
> > I recommend this update for ... pretty much everyone.
> >
> >
> > Peter
> >
>
> Thanks for this update, I have updated all my e-commerce catalogs with
> no problems at all except for one that is scheduled to go live on next
> Wednesday. The countdown to bringing Montpelier live has started, and
> the city is like a mob scene, they will be banging on my door because it
> is already really late :)
>
> Anyway, my issue is that I am using lots of new tables that I have build
> for "content management" and "social networking" purposes. I am using a
> search similar to the "search_box_smnall" and "advancedsearch" for much
> of the content, also I am usinig a "swish" search for pdf files. The
> tables are somewhat private so I don't want to open them up in the
> "AllowRemoteSearch" config directive in catalog.cfg
>
> Are there new ways to use these kinds of searches? Or is there a
> temporary work-around that I can do for now?
>
> Thanks again, and please make the mob go away!
> Rick
>

Actually, I set it up so that all the people using the system are
logging into the affiliates database and nobody will be able to put ITL
anywhere in the site (except the planning department who I am letting do
anything anyway). However, I will be letting the Clerk login to the
admin area ONLY for "orders". So is it safe to open up these tables in
this case?

Rick

--
This message has been scanned for viruses and
dangerous content by Green Mountain Network, and is
believed to be clean.

_______________________________________________
interchange-users mailing list
interchange-users [at] icdevgroup
http://www.icdevgroup.org/mailman/listinfo/interchange-users

gert at 3edge

Sep 24, 2009, 11:54 PM

Post #16 of 25 (2617 views)
Permalink

Re: Interchange security releases: 5.7.2, 5.6.2, 5.4.4 [In reply to]

> -----Original Message-----
> From: interchange-users-bounces [at] icdevgroup [mailto:interchange-
> users-bounces [at] icdevgroup] On Behalf Of Rick Bragg
> Sent: Friday, September 25, 2009 9:47 AM
> To: interchange-users [at] icdevgroup
> Subject: Re: [ic] Interchange security releases: 5.7.2, 5.6.2, 5.4.4
>
> On Fri, 2009-09-25 at 06:38 +0000, Rick Bragg wrote:
> > On Sat, 2009-09-19 at 16:49 -0700, Peter wrote:
> > > On 09/19/2009 04:20 PM, Grant wrote:
> > > > I hope replying here is alright. I'm trying to figure out if I'm
> > > > vulnerable to this. I don't use [search-region] or ActionMap at
> all.
> > > > Does that exclude me?
> > >
> > > No, you are vulnerable if you use a Standard or Foundation based
> > > catalog. You are vulnerable if you have a search results page that
> > > utilizes the Interchange standard search facilities anywhere, even
> if
> > > you do not use it. If you think you might be vulnerable you
> probably
> > > are. If you think you are not vulnerable then you still probably
> are.
> > >
> > > I recommend this update for ... pretty much everyone.
> > >
> > >
> > > Peter
> > >
> >
> > Thanks for this update, I have updated all my e-commerce catalogs
> with
> > no problems at all except for one that is scheduled to go live on
> next
> > Wednesday. The countdown to bringing Montpelier live has started,
> and
> > the city is like a mob scene, they will be banging on my door because
> it
> > is already really late :)
> >
> > Anyway, my issue is that I am using lots of new tables that I have
> build
> > for "content management" and "social networking" purposes. I am using
> a
> > search similar to the "search_box_smnall" and "advancedsearch" for
> much
> > of the content, also I am usinig a "swish" search for pdf files. The
> > tables are somewhat private so I don't want to open them up in the
> > "AllowRemoteSearch" config directive in catalog.cfg
> >
> > Are there new ways to use these kinds of searches? Or is there a
> > temporary work-around that I can do for now?
> >
> > Thanks again, and please make the mob go away!
> > Rick
> >
>
> Actually, I set it up so that all the people using the system are
> logging into the affiliates database and nobody will be able to put ITL
> anywhere in the site (except the planning department who I am letting
> do
> anything anyway). However, I will be letting the Clerk login to the
> admin area ONLY for "orders". So is it safe to open up these tables in
> this case?
>
> Rick
>

You can allow tables temporarily via something like:
push(@{$Config->{AllowRemoteSearch}},'TABLE');

Not sure if that will help you or how safe this is for your situation ...
So don't send the Montpelier mob after me if it's not working out ;)

CU,

Gert

_______________________________________________
interchange-users mailing list
interchange-users [at] icdevgroup
http://www.icdevgroup.org/mailman/listinfo/interchange-users

peter at pajamian

Sep 25, 2009, 1:33 AM

Post #17 of 25 (2614 views)
Permalink

Re: Interchange security releases: 5.7.2, 5.6.2, 5.4.4 [In reply to]

On 09/24/2009 11:54 PM, Gert van der Spoel wrote:
>> -----Original Message-----
>> From: interchange-users-bounces [at] icdevgroup [mailto:interchange-
>> users-bounces [at] icdevgroup] On Behalf Of Rick Bragg
>> Sent: Friday, September 25, 2009 9:47 AM
>> To: interchange-users [at] icdevgroup
>> Subject: Re: [ic] Interchange security releases: 5.7.2, 5.6.2, 5.4.4
>>
>> On Fri, 2009-09-25 at 06:38 +0000, Rick Bragg wrote:
>>> Thanks for this update, I have updated all my e-commerce catalogs with
>>> no problems at all except for one that is scheduled to go live on next
>>> Wednesday. The countdown to bringing Montpelier live has started, and
>>> the city is like a mob scene, they will be banging on my door because it
>>> is already really late :)
>>>
>>> Anyway, my issue is that I am using lots of new tables that I have build
>>> for "content management" and "social networking" purposes. I am using a
>>> search similar to the "search_box_smnall" and "advancedsearch" for much
>>> of the content, also I am usinig a "swish" search for pdf files. The
>>> tables are somewhat private so I don't want to open them up in the
>>> "AllowRemoteSearch" config directive in catalog.cfg
>>>
>>> Are there new ways to use these kinds of searches? Or is there a
>>> temporary work-around that I can do for now?

The best thing you can do is to pass the user entered search parameters
in CGI variables, for example you can do something like this:

<form method="post" action="[area my_results_page]">
Foo Search Field: <input type="text" name="foo" size="40"><br>
Bar Search Field: <input type="text" name="bar" size="40"><br>
<input type="submit" value="Search">
</form>

...then on the page, my_results_page you would do something like this:

[loop search=|
fi=my_table
st=db
co=1
sf=foo
se=[cgi foo]
sf=bar
se=[cgi bar]
rf=baz,biz
|]

<p>
baz is: [loop-param baz]<br>
biz is: [loop-param biz]
</p>
[/loop]

The above type of search is safe from being exploited by this
vulnerability and will continue to work without having to add the tables
to AlloRemoteSearch.

>> Actually, I set it up so that all the people using the system are
>> logging into the affiliates database and nobody will be able to put ITL
>> anywhere in the site (except the planning department who I am letting
>> do anything anyway). However, I will be letting the Clerk login to the
>> admin area ONLY for "orders". So is it safe to open up these tables in
>> this case?

No, a user does not have to be logged in as an admin or anything
important to take advantage of this vulnerability.

> You can allow tables temporarily via something like:
> push(@{$Config->{AllowRemoteSearch}},'TABLE');

This only works in very limited cases and has to be done on the search
results page, but run before the search results are processed. It may
or may not work before the [search-region] tag, I'm not sure. Keep in
mind that if you do this you could still be open to an attack.

Peter

_______________________________________________
interchange-users mailing list
interchange-users [at] icdevgroup
http://www.icdevgroup.org/mailman/listinfo/interchange-users

lists at gmnet

Sep 25, 2009, 5:20 AM

Post #18 of 25 (2605 views)
Permalink

Re: Interchange security releases: 5.7.2, 5.6.2, 5.4.4 [In reply to]

On Fri, 2009-09-25 at 01:33 -0700, Peter wrote:
> On 09/24/2009 11:54 PM, Gert van der Spoel wrote:
> >> -----Original Message-----
> >> From: interchange-users-bounces [at] icdevgroup [mailto:interchange-
> >> users-bounces [at] icdevgroup] On Behalf Of Rick Bragg
> >> Sent: Friday, September 25, 2009 9:47 AM
> >> To: interchange-users [at] icdevgroup
> >> Subject: Re: [ic] Interchange security releases: 5.7.2, 5.6.2, 5.4.4
> >>
> >> On Fri, 2009-09-25 at 06:38 +0000, Rick Bragg wrote:
> >>> Thanks for this update, I have updated all my e-commerce catalogs with
> >>> no problems at all except for one that is scheduled to go live on next
> >>> Wednesday. The countdown to bringing Montpelier live has started, and
> >>> the city is like a mob scene, they will be banging on my door because it
> >>> is already really late :)
> >>>
> >>> Anyway, my issue is that I am using lots of new tables that I have build
> >>> for "content management" and "social networking" purposes. I am using a
> >>> search similar to the "search_box_smnall" and "advancedsearch" for much
> >>> of the content, also I am usinig a "swish" search for pdf files. The
> >>> tables are somewhat private so I don't want to open them up in the
> >>> "AllowRemoteSearch" config directive in catalog.cfg
> >>>
> >>> Are there new ways to use these kinds of searches? Or is there a
> >>> temporary work-around that I can do for now?
>
> The best thing you can do is to pass the user entered search parameters
> in CGI variables, for example you can do something like this:
>
> <form method="post" action="[area my_results_page]">
> Foo Search Field: <input type="text" name="foo" size="40"><br>
> Bar Search Field: <input type="text" name="bar" size="40"><br>
> <input type="submit" value="Search">
> </form>
>
>
> ...then on the page, my_results_page you would do something like this:
>
> [.loop search=|
> fi=my_table
> st=db
> co=1
> sf=foo
> se=[cgi foo]
> sf=bar
> se=[cgi bar]
> rf=baz,biz
> |]
>
> <p>
> baz is: [loop-param baz]<br>
> biz is: [loop-param biz]
> </p>
> [/loop]
>
>
> The above type of search is safe from being exploited by this
> vulnerability and will continue to work without having to add the tables
> to AlloRemoteSearch.
>
> >> Actually, I set it up so that all the people using the system are
> >> logging into the affiliates database and nobody will be able to put ITL
> >> anywhere in the site (except the planning department who I am letting
> >> do anything anyway). However, I will be letting the Clerk login to the
> >> admin area ONLY for "orders". So is it safe to open up these tables in
> >> this case?
>
> No, a user does not have to be logged in as an admin or anything
> important to take advantage of this vulnerability.
>
> > You can allow tables temporarily via something like:
> > push(@{$Config->{AllowRemoteSearch}},'TABLE');
>
> This only works in very limited cases and has to be done on the search
> results page, but run before the search results are processed. It may
> or may not work before the [search-region] tag, I'm not sure. Keep in
> mind that if you do this you could still be open to an attack.
>
>
> Peter
>
> _______________________________________________

Ah! I love the new search form idea. can I also use just a [query] tag
instead of [loop] on the results? I like to use additional SQL right
there! That will also solve other problems I am having such as trying
type in "fixed wheel gear" and returning rows that match "fixed gear"

As for the mob, they are a very nice, socially responsible, and peaceful
mob :)

--
This message has been scanned for viruses and
dangerous content by Green Mountain Network, and is
believed to be clean.

_______________________________________________
interchange-users mailing list
interchange-users [at] icdevgroup
http://www.icdevgroup.org/mailman/listinfo/interchange-users

peter at pajamian

Sep 25, 2009, 5:29 AM

Post #19 of 25 (2608 views)
Permalink

Re: Interchange security releases: 5.7.2, 5.6.2, 5.4.4 [In reply to]

On 09/25/2009 05:20 AM, Rick Bragg wrote:
> Ah! I love the new search form idea. can I also use just a [query] tag
> instead of [loop] on the results?

Yes, of course. Just be careful to filter your inputs or you could end
up with an SQL injection vulnerability. I recommend the dbi_quote filter:
<http://www.interchange.rtfm.info/icdocs/filters/dbi_quote.html>

Peter

_______________________________________________
interchange-users mailing list
interchange-users [at] icdevgroup
http://www.icdevgroup.org/mailman/listinfo/interchange-users

racke at linuxia

Sep 25, 2009, 5:29 AM

Post #20 of 25 (2608 views)
Permalink

Re: Interchange security releases: 5.7.2, 5.6.2, 5.4.4 [In reply to]

Rick Bragg wrote:
> On Fri, 2009-09-25 at 01:33 -0700, Peter wrote:
>> On 09/24/2009 11:54 PM, Gert van der Spoel wrote:
>>>> -----Original Message-----
>>>> From: interchange-users-bounces [at] icdevgroup [mailto:interchange-
>>>> users-bounces [at] icdevgroup] On Behalf Of Rick Bragg
>>>> Sent: Friday, September 25, 2009 9:47 AM
>>>> To: interchange-users [at] icdevgroup
>>>> Subject: Re: [ic] Interchange security releases: 5.7.2, 5.6.2, 5.4.4
>>>>
>>>> On Fri, 2009-09-25 at 06:38 +0000, Rick Bragg wrote:
>>>>> Thanks for this update, I have updated all my e-commerce catalogs with
>>>>> no problems at all except for one that is scheduled to go live on next
>>>>> Wednesday. The countdown to bringing Montpelier live has started, and
>>>>> the city is like a mob scene, they will be banging on my door because it
>>>>> is already really late :)
>>>>>
>>>>> Anyway, my issue is that I am using lots of new tables that I have build
>>>>> for "content management" and "social networking" purposes. I am using a
>>>>> search similar to the "search_box_smnall" and "advancedsearch" for much
>>>>> of the content, also I am usinig a "swish" search for pdf files. The
>>>>> tables are somewhat private so I don't want to open them up in the
>>>>> "AllowRemoteSearch" config directive in catalog.cfg
>>>>>
>>>>> Are there new ways to use these kinds of searches? Or is there a
>>>>> temporary work-around that I can do for now?
>> The best thing you can do is to pass the user entered search parameters
>> in CGI variables, for example you can do something like this:
>>
>> <form method="post" action="[area my_results_page]">
>> Foo Search Field: <input type="text" name="foo" size="40"><br>
>> Bar Search Field: <input type="text" name="bar" size="40"><br>
>> <input type="submit" value="Search">
>> </form>
>>
>>
>> ...then on the page, my_results_page you would do something like this:
>>
>> [.loop search=|
>> fi=my_table
>> st=db
>> co=1
>> sf=foo
>> se=[cgi foo]
>> sf=bar
>> se=[cgi bar]
>> rf=baz,biz
>> |]
>>
>> <p>
>> baz is: [loop-param baz]<br>
>> biz is: [loop-param biz]
>> </p>
>> [/loop]
>>
>>
>> The above type of search is safe from being exploited by this
>> vulnerability and will continue to work without having to add the tables
>> to AlloRemoteSearch.
>>
>>>> Actually, I set it up so that all the people using the system are
>>>> logging into the affiliates database and nobody will be able to put ITL
>>>> anywhere in the site (except the planning department who I am letting
>>>> do anything anyway). However, I will be letting the Clerk login to the
>>>> admin area ONLY for "orders". So is it safe to open up these tables in
>>>> this case?
>> No, a user does not have to be logged in as an admin or anything
>> important to take advantage of this vulnerability.
>>
>>> You can allow tables temporarily via something like:
>>> push(@{$Config->{AllowRemoteSearch}},'TABLE');
>> This only works in very limited cases and has to be done on the search
>> results page, but run before the search results are processed. It may
>> or may not work before the [search-region] tag, I'm not sure. Keep in
>> mind that if you do this you could still be open to an attack.
>>
>>
>> Peter
>>
>> _______________________________________________
>
>
> Ah! I love the new search form idea. can I also use just a [query] tag
> instead of [loop] on the results? I like to use additional SQL right
> there! That will also solve other problems I am having such as trying
> type in "fixed wheel gear" and returning rows that match "fixed gear"
>

Yes, you can do this. Just make sure to sanitize the user's input before
feeding it directly into a SQL query.

Regards
Racke

--
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team

_______________________________________________
interchange-users mailing list
interchange-users [at] icdevgroup
http://www.icdevgroup.org/mailman/listinfo/interchange-users

lists at gmnet

Sep 25, 2009, 6:27 AM

Post #21 of 25 (2611 views)
Permalink

Re: Interchange security releases: 5.7.2, 5.6.2, 5.4.4 [In reply to]

On Fri, 2009-09-25 at 14:29 +0200, Stefan Hornburg wrote:
> Rick Bragg wrote:
> > On Fri, 2009-09-25 at 01:33 -0700, Peter wrote:
> >> On 09/24/2009 11:54 PM, Gert van der Spoel wrote:
> >>>> -----Original Message-----
> >>>> From: interchange-users-bounces [at] icdevgroup [mailto:interchange-
> >>>> users-bounces [at] icdevgroup] On Behalf Of Rick Bragg
> >>>> Sent: Friday, September 25, 2009 9:47 AM
> >>>> To: interchange-users [at] icdevgroup
> >>>> Subject: Re: [ic] Interchange security releases: 5.7.2, 5.6.2, 5.4.4
> >>>>
> >>>> On Fri, 2009-09-25 at 06:38 +0000, Rick Bragg wrote:
> >>>>> Thanks for this update, I have updated all my e-commerce catalogs with
> >>>>> no problems at all except for one that is scheduled to go live on next
> >>>>> Wednesday. The countdown to bringing Montpelier live has started, and
> >>>>> the city is like a mob scene, they will be banging on my door because it
> >>>>> is already really late :)
> >>>>>
> >>>>> Anyway, my issue is that I am using lots of new tables that I have build
> >>>>> for "content management" and "social networking" purposes. I am using a
> >>>>> search similar to the "search_box_smnall" and "advancedsearch" for much
> >>>>> of the content, also I am usinig a "swish" search for pdf files. The
> >>>>> tables are somewhat private so I don't want to open them up in the
> >>>>> "AllowRemoteSearch" config directive in catalog.cfg
> >>>>>
> >>>>> Are there new ways to use these kinds of searches? Or is there a
> >>>>> temporary work-around that I can do for now?
> >> The best thing you can do is to pass the user entered search parameters
> >> in CGI variables, for example you can do something like this:
> >>
> >> <form method="post" action="[area my_results_page]">
> >> Foo Search Field: <input type="text" name="foo" size="40"><br>
> >> Bar Search Field: <input type="text" name="bar" size="40"><br>
> >> <input type="submit" value="Search">
> >> </form>
> >>
> >>
> >> ...then on the page, my_results_page you would do something like this:
> >>
> >> [.loop search=|
> >> fi=my_table
> >> st=db
> >> co=1
> >> sf=foo
> >> se=[cgi foo]
> >> sf=bar
> >> se=[cgi bar]
> >> rf=baz,biz
> >> |]
> >>
> >> <p>
> >> baz is: [loop-param baz]<br>
> >> biz is: [loop-param biz]
> >> </p>
> >> [/loop]
> >>
> >>
> >> The above type of search is safe from being exploited by this
> >> vulnerability and will continue to work without having to add the tables
> >> to AlloRemoteSearch.
> >>
> >>>> Actually, I set it up so that all the people using the system are
> >>>> logging into the affiliates database and nobody will be able to put ITL
> >>>> anywhere in the site (except the planning department who I am letting
> >>>> do anything anyway). However, I will be letting the Clerk login to the
> >>>> admin area ONLY for "orders". So is it safe to open up these tables in
> >>>> this case?
> >> No, a user does not have to be logged in as an admin or anything
> >> important to take advantage of this vulnerability.
> >>
> >>> You can allow tables temporarily via something like:
> >>> push(@{$Config->{AllowRemoteSearch}},'TABLE');
> >> This only works in very limited cases and has to be done on the search
> >> results page, but run before the search results are processed. It may
> >> or may not work before the [search-region] tag, I'm not sure. Keep in
> >> mind that if you do this you could still be open to an attack.
> >>
> >>
> >> Peter
> >>
> >> _______________________________________________
> >
> >
> > Ah! I love the new search form idea. can I also use just a [query] tag
> > instead of [loop] on the results? I like to use additional SQL right
> > there! That will also solve other problems I am having such as trying
> > type in "fixed wheel gear" and returning rows that match "fixed gear"
> >
>
> Yes, you can do this. Just make sure to sanitize the user's input before
> feeding it directly into a SQL query.
>
> Regards
> Racke
>
>
> --
> LinuXia Systems => http://www.linuxia.de/
> Expert Interchange Consulting and System Administration
> ICDEVGROUP => http://www.icdevgroup.org/
> Interchange Development Team
>

Ah perfect, works like a charm -except- I have a retuning problem. My
more pages give me Internal server errors! The more list works perfect
on my other catalogs where I am using the [search-region] but with the
[query] they do not! Nothing in the error logs, just end of script
stuff. AHH! I think I will start a new thread for this...

--
This message has been scanned for viruses and
dangerous content by Green Mountain Network, and is
believed to be clean.

_______________________________________________
interchange-users mailing list
interchange-users [at] icdevgroup
http://www.icdevgroup.org/mailman/listinfo/interchange-users

lists at gmnet

Sep 25, 2009, 8:19 AM

Post #22 of 25 (2598 views)
Permalink

Re: Interchange security releases: 5.7.2, 5.6.2, 5.4.4 [In reply to]

On Fri, 2009-09-25 at 01:33 -0700, Peter wrote:
> On 09/24/2009 11:54 PM, Gert van der Spoel wrote:
> >> -----Original Message-----
> >> From: interchange-users-bounces [at] icdevgroup [mailto:interchange-
> >> users-bounces [at] icdevgroup] On Behalf Of Rick Bragg
> >> Sent: Friday, September 25, 2009 9:47 AM
> >> To: interchange-users [at] icdevgroup
> >> Subject: Re: [ic] Interchange security releases: 5.7.2, 5.6.2, 5.4.4
> >>
> >> On Fri, 2009-09-25 at 06:38 +0000, Rick Bragg wrote:
> >>> Thanks for this update, I have updated all my e-commerce catalogs with
> >>> no problems at all except for one that is scheduled to go live on next
> >>> Wednesday. The countdown to bringing Montpelier live has started, and
> >>> the city is like a mob scene, they will be banging on my door because it
> >>> is already really late :)
> >>>
> >>> Anyway, my issue is that I am using lots of new tables that I have build
> >>> for "content management" and "social networking" purposes. I am using a
> >>> search similar to the "search_box_smnall" and "advancedsearch" for much
> >>> of the content, also I am usinig a "swish" search for pdf files. The
> >>> tables are somewhat private so I don't want to open them up in the
> >>> "AllowRemoteSearch" config directive in catalog.cfg
> >>>
> >>> Are there new ways to use these kinds of searches? Or is there a
> >>> temporary work-around that I can do for now?
>
> The best thing you can do is to pass the user entered search parameters
> in CGI variables, for example you can do something like this:
>
> <form method="post" action="[area my_results_page]">
> Foo Search Field: <input type="text" name="foo" size="40"><br>
> Bar Search Field: <input type="text" name="bar" size="40"><br>
> <input type="submit" value="Search">
> </form>
>
>
> ...then on the page, my_results_page you would do something like this:
>
> [.loop search=|
> fi=my_table
> st=db
> co=1
> sf=foo
> se=[cgi foo]
> sf=bar
> se=[cgi bar]
> rf=baz,biz
> |]
>
> <p>
> baz is: [loop-param baz]<br>
> biz is: [loop-param biz]
> </p>
> [/loop]
>
>
> The above type of search is safe from being exploited by this
> vulnerability and will continue to work without having to add the tables
> to AlloRemoteSearch.
>
> >> Actually, I set it up so that all the people using the system are
> >> logging into the affiliates database and nobody will be able to put ITL
> >> anywhere in the site (except the planning department who I am letting
> >> do anything anyway). However, I will be letting the Clerk login to the
> >> admin area ONLY for "orders". So is it safe to open up these tables in
> >> this case?
>
> No, a user does not have to be logged in as an admin or anything
> important to take advantage of this vulnerability.
>
> > You can allow tables temporarily via something like:
> > push(@{$Config->{AllowRemoteSearch}},'TABLE');
>
> This only works in very limited cases and has to be done on the search
> results page, but run before the search results are processed. It may
> or may not work before the [search-region] tag, I'm not sure. Keep in
> mind that if you do this you could still be open to an attack.
>
>
> Peter
>

Hi, Is there a way to do something like this with a "swish" search?
the mv_searchtype "swish" is throughing be off here.

This is what I have now...

<form name="search_docs" action="[area search]" method=post>
<input type=hidden name=mv_session_id value="[data session id]">
<input type=hidden name=mv_searchtype VALUE="swish">
<INPUT TYPE=hidden NAME=mv_matchlimit VALUE="25">
<input type=hidden name=mv_search_file VALUE="products/docs.index.swish">
<input type=hidden name=mv_search_page VALUE="swish_results">
<input type=hidden name=mv_coordinate VALUE="1">
<input type=hidden name=mv_substring_match VALUE="1">
<INPUT TYPE=hidden NAME=mv_search_map VALUE="
mv_searchspec=search1
mv_searchspec=search2
">
<INPUT NAME=search1 VALUE="">
<input type=hidden name=search2 VALUE="">
<input type=submit form="search_docs" value="[L]Go[/L]">
</form>

What is the best way to make this work?

Thanks again!
rick

--
This message has been scanned for viruses and
dangerous content by Green Mountain Network, and is
believed to be clean.

_______________________________________________
interchange-users mailing list
interchange-users [at] icdevgroup
http://www.icdevgroup.org/mailman/listinfo/interchange-users

peter at pajamian

Sep 25, 2009, 8:59 AM

Post #23 of 25 (2598 views)
Permalink

Re: Interchange security releases: 5.7.2, 5.6.2, 5.4.4 [In reply to]

On 09/25/2009 08:19 AM, Rick Bragg wrote:
> On Fri, 2009-09-25 at 01:33 -0700, Peter wrote:
>> [.loop search=|
>> fi=my_table
>> st=db
>> co=1
>> sf=foo
>> se=[cgi foo]
>> sf=bar
>> se=[cgi bar]
>> rf=baz,biz
>> |]
>
> Hi, Is there a way to do something like this with a "swish" search?
> the mv_searchtype "swish" is throughing be off here.

st=swish

> This is what I have now...
>
> <form name="search_docs" action="[area search]" method=post>
> <input type=hidden name=mv_session_id value="[data session id]">
> <input type=hidden name=mv_searchtype VALUE="swish">
> <INPUT TYPE=hidden NAME=mv_matchlimit VALUE="25">
> <input type=hidden name=mv_search_file VALUE="products/docs.index.swish">
> <input type=hidden name=mv_search_page VALUE="swish_results">
> <input type=hidden name=mv_coordinate VALUE="1">
> <input type=hidden name=mv_substring_match VALUE="1">
> <INPUT TYPE=hidden NAME=mv_search_map VALUE="
> mv_searchspec=search1
> mv_searchspec=search2
> ">
> <INPUT NAME=search1 VALUE="">
> <input type=hidden name=search2 VALUE="">
> <input type=submit form="search_docs" value="[L]Go[/L]">
> </form>
>
>
> What is the best way to make this work?

The equivalent two letter codes for all of the above parameters are here:
<http://www.interchange.rtfm.info/icdocs/Search_parameters.html>

Peter

_______________________________________________
interchange-users mailing list
interchange-users [at] icdevgroup
http://www.icdevgroup.org/mailman/listinfo/interchange-users

lists at gmnet

Sep 25, 2009, 9:41 AM

Post #24 of 25 (2597 views)
Permalink

Re: Interchange security releases: 5.7.2, 5.6.2, 5.4.4 [In reply to]

On Fri, 2009-09-25 at 08:59 -0700, Peter wrote:
> On 09/25/2009 08:19 AM, Rick Bragg wrote:
> > On Fri, 2009-09-25 at 01:33 -0700, Peter wrote:
> >> [.loop search=|
> >> fi=my_table
> >> st=db
> >> co=1
> >> sf=foo
> >> se=[cgi foo]
> >> sf=bar
> >> se=[cgi bar]
> >> rf=baz,biz
> >> |]
> >
> > Hi, Is there a way to do something like this with a "swish" search?
> > the mv_searchtype "swish" is throughing be off here.
>
> st=swish
>
> > This is what I have now...
> >
> > <form name="search_docs" action="[area search]" method=post>
> > <input type=hidden name=mv_session_id value="[data session id]">
> > <input type=hidden name=mv_searchtype VALUE="swish">
> > <INPUT TYPE=hidden NAME=mv_matchlimit VALUE="25">
> > <input type=hidden name=mv_search_file VALUE="products/docs.index.swish">
> > <input type=hidden name=mv_search_page VALUE="swish_results">
> > <input type=hidden name=mv_coordinate VALUE="1">
> > <input type=hidden name=mv_substring_match VALUE="1">
> > <INPUT TYPE=hidden NAME=mv_search_map VALUE="
> > mv_searchspec=search1
> > mv_searchspec=search2
> > ">
> > <INPUT NAME=search1 VALUE="">
> > <input type=hidden name=search2 VALUE="">
> > <input type=submit form="search_docs" value="[L]Go[/L]">
> > </form>
> >
> >
> > What is the best way to make this work?
>
> The equivalent two letter codes for all of the above parameters are here:
> <http://www.interchange.rtfm.info/icdocs/Search_parameters.html>
>
>
> Peter
>

Got it, sometimes I just can't think when overwhelmed.
I am still having a big problem with the Internal server error on more
pages though.

Thanks
rick

--
This message has been scanned for viruses and
dangerous content by Green Mountain Network, and is
believed to be clean.

_______________________________________________
interchange-users mailing list
interchange-users [at] icdevgroup
http://www.icdevgroup.org/mailman/listinfo/interchange-users

peter at pajamian

Sep 25, 2009, 9:48 AM

Post #25 of 25 (2601 views)
Permalink

Re: Interchange security releases: 5.7.2, 5.6.2, 5.4.4 [In reply to]

On 09/25/2009 09:41 AM, Rick Bragg wrote:
> I am still having a big problem with the Internal server error on more
> pages though.

Look at your global error.log file.

Peter

_______________________________________________
interchange-users mailing list
interchange-users [at] icdevgroup
http://www.icdevgroup.org/mailman/listinfo/interchange-users

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads