[Cache-News] Security Alert: User passed parameter values via CSP
cache-ne...@mail.intersystems.com
be encoded by login page redirection logic
InterSystems has corrected a Cache' defect that can lead to data changes
on the server by a malicious user.
This defect exists in all currently released Cache' 2007.1.x versions
(2007.1.0.369.0 and 2007.1.1.420.0). Versions prior to Cache' 2007.1 are
not affected.
For security reasons, a detailed description on how to reproduce this
issue will not be provided.
Normal and intended operations of CSP applications are not affected.
Please note the System Management Portal in Cache' is a CSP-based
application and also vulnerable to this defect.
The correction for this defect, identified as MAK2116, is included in
upcoming Cache' and Ensemble releases. It is also available from
InterSystems in an Ad Hoc distribution or by applying this patch.
http://www.intersystems.com/support/Adhoc5655.zip
InterSystems strongly recommends you apply the available patch as soon as
possible or request an Ad Hoc distribution.
If you have any questions regarding this, please contact the InterSystems
Worldwide Response Center (WRC) at sup...@intersystems.com.