[Cache-News] Security Alert - %template
47 views
Skip to first unread message
cache-ne...@intersystems.com
Mar 9, 2004, 1:46:44 PM3/9/04
to x...@info2.kinich.com
InterSystems has encountered a critical issue with a number of Cache'
classes which could allow an attacker to access data on a Cache' server.
This vulnerability is in classes that are not required on production
systems and are only used during development. Removing them will have no
impact on a production system.
These classes are included in all releases of Cache' 5.0.
InterSystems recommends you remove them by using Terminal. Once connected
using Terminal, enter the following commands:
zn "%cachelib"
do $system.OBJ.DeletePackage("%template")
In addition please remove all .csp files from the following directories (if
installed):
\Dev\studio\templates
\Devuser\studio\templates
of your Cache installation (default: cachesys).
InterSystems is working on a solution to remove this vulnerability from
future versions.
classes which could allow an attacker to access data on a Cache' server.
This vulnerability is in classes that are not required on production
systems and are only used during development. Removing them will have no
impact on a production system.
These classes are included in all releases of Cache' 5.0.
InterSystems recommends you remove them by using Terminal. Once connected
using Terminal, enter the following commands:
zn "%cachelib"
do $system.OBJ.DeletePackage("%template")
In addition please remove all .csp files from the following directories (if
installed):
\Dev\studio\templates
\Devuser\studio\templates
of your Cache installation (default: cachesys).
InterSystems is working on a solution to remove this vulnerability from
future versions.
Denver Braughler
Mar 9, 2004, 9:24:08 PM3/9/04
to x...@info2.kinich.com
cache-news wrote:
> InterSystems has encountered a critical issue with a number of Cache'
> classes which could allow an attacker to access data on a Cache' server.
For the purpose of this discussion, is it correct to say that any Cache'
> InterSystems has encountered a critical issue with a number of Cache'
> classes which could allow an attacker to access data on a Cache' server.
system with a database mounted is a server?
> This vulnerability is in classes that are not required on production
> systems and are only used during development. Removing them will have no
> impact on a production system.
Are they vulnerable but will feel the impact?
Also, the alert says to delete just *.CSP, but is it fine to delete the
entire directories <cachesys>/dev and ./devuser on production systems?
> InterSystems is working on a solution to remove this vulnerability from
> future versions.
(1) I can assess the threat to non-production systems; and
(2) I can avoid making a similar vulnerability in my code.
Bill McCormick
Mar 10, 2004, 6:44:24 AM3/10/04
to x...@info2.kinich.com
All systems with these classes on them are vulnerable. The template
files are used by the studio to assist in creating new
pages/routines/classes. The problem is they can be used to open system
level files - allowing people to access cache.key, cache.dat etc.
Because they are prefixed with % it leaves the entire cache system
vulnerable, not just samples as noted in a previous alert. Deleting the
entire /dev directory removes all samples from the system - not a bad
thing on a production system.
--
Bill McCormick
Web/Objects Support Manager
InterSystems Corporation
bmc...@intersys.com
files are used by the studio to assist in creating new
pages/routines/classes. The problem is they can be used to open system
level files - allowing people to access cache.key, cache.dat etc.
Because they are prefixed with % it leaves the entire cache system
vulnerable, not just samples as noted in a previous alert. Deleting the
entire /dev directory removes all samples from the system - not a bad
thing on a production system.
Bill McCormick
Web/Objects Support Manager
InterSystems Corporation
bmc...@intersys.com
Reply all
Reply to author
Forward
0 new messages