Dear All,
There was a serious security problem found with all versions of
Interchange and Minivend. It allows reading of arbitrary files that
can be read by the Interchange/Minivend user ID.
There is a workaround that is immediately effective:
* Move or remove the "doc" directory, if it exists in the Interchange
software directory.
mv INTERCHANGE_ROOT/doc INTERCHANGE_ROOT/unsafe
i.e. if your Minivend or Interchange is installed at
/usr/local/interchange, it would be:
mv /usr/local/interchange/doc /usr/local/interchange/unsafe
That immediately closes the hole. Normally the only contents of
the directory are some man pages.
There will be patched versions available soon which solve the problem
completely.
We strongly urge all Interchange and Minivend users to implement this
immediately for the safety of their systems and customer data.
In addition, we recommend that if you don't need INET mode that
you disable it. In addition it would be wise to close port 7786
on the internet side of your firewall.
Best Regards,
Mike Heins
for ICDEVGROUP
--
Mike Heins
Perusion -- Expert Interchange Consulting http://www.perusion.com/
phone +1.513.523.7621 <mike@perusion.com>
Few blame themselves until they have exhausted all other possibilities.
-- anonymous
There was a serious security problem found with all versions of
Interchange and Minivend. It allows reading of arbitrary files that
can be read by the Interchange/Minivend user ID.
There is a workaround that is immediately effective:
* Move or remove the "doc" directory, if it exists in the Interchange
software directory.
mv INTERCHANGE_ROOT/doc INTERCHANGE_ROOT/unsafe
i.e. if your Minivend or Interchange is installed at
/usr/local/interchange, it would be:
mv /usr/local/interchange/doc /usr/local/interchange/unsafe
That immediately closes the hole. Normally the only contents of
the directory are some man pages.
There will be patched versions available soon which solve the problem
completely.
We strongly urge all Interchange and Minivend users to implement this
immediately for the safety of their systems and customer data.
In addition, we recommend that if you don't need INET mode that
you disable it. In addition it would be wise to close port 7786
on the internet side of your firewall.
Best Regards,
Mike Heins
for ICDEVGROUP
--
Mike Heins
Perusion -- Expert Interchange Consulting http://www.perusion.com/
phone +1.513.523.7621 <mike@perusion.com>
Few blame themselves until they have exhausted all other possibilities.
-- anonymous