[Cache-News] Security Alert: User passed parameter values via CSP

44 views
Skip to first unread message

cache-ne...@mail.intersystems.com

unread,
Jul 18, 2007, 2:27:41 PM7/18/07
to intersystems...@info2.kinich.com
July 18, 2007 - Security Alert: User passed parameter values via CSP could
be encoded by login page redirection logic

InterSystems has corrected a Cache' defect that can lead to data changes
on the server by a malicious user.

This defect exists in all currently released Cache' 2007.1.x versions
(2007.1.0.369.0 and 2007.1.1.420.0). Versions prior to Cache' 2007.1 are
not affected.

For security reasons, a detailed description on how to reproduce this
issue will not be provided.

Normal and intended operations of CSP applications are not affected.

Please note the System Management Portal in Cache' is a CSP-based
application and also vulnerable to this defect.

The correction for this defect, identified as MAK2116, is included in
upcoming Cache' and Ensemble releases. It is also available from
InterSystems in an Ad Hoc distribution or by applying this patch.

http://www.intersystems.com/support/Adhoc5655.zip

InterSystems strongly recommends you apply the available patch as soon as
possible or request an Ad Hoc distribution.

If you have any questions regarding this, please contact the InterSystems
Worldwide Response Center (WRC) at sup...@intersystems.com.

Reply all
Reply to author
Forward
0 new messages