[Cache-News] Security Alert - %template

26 views
Skip to first unread message

cache-ne...@intersystems.com

unread,
Mar 9, 2004, 1:46:44 PM3/9/04
to x...@info2.kinich.com
InterSystems has encountered a critical issue with a number of Cache'
classes which could allow an attacker to access data on a Cache' server.
This vulnerability is in classes that are not required on production
systems and are only used during development. Removing them will have no
impact on a production system.

These classes are included in all releases of Cache' 5.0.

InterSystems recommends you remove them by using Terminal. Once connected
using Terminal, enter the following commands:

zn "%cachelib"

do $system.OBJ.DeletePackage("%template")

In addition please remove all .csp files from the following directories (if
installed):

\Dev\studio\templates
\Devuser\studio\templates

of your Cache installation (default: cachesys).


InterSystems is working on a solution to remove this vulnerability from
future versions.



Denver Braughler

unread,
Mar 9, 2004, 9:24:08 PM3/9/04
to x...@info2.kinich.com
cache-news wrote:
> InterSystems has encountered a critical issue with a number of Cache'
> classes which could allow an attacker to access data on a Cache' server.

For the purpose of this discussion, is it correct to say that any Cache'
system with a database mounted is a server?

> This vulnerability is in classes that are not required on production
> systems and are only used during development. Removing them will have no
> impact on a production system.

And what about development/test systems?
Are they vulnerable but will feel the impact?

Also, the alert says to delete just *.CSP, but is it fine to delete the
entire directories <cachesys>/dev and ./devuser on production systems?


> InterSystems is working on a solution to remove this vulnerability from
> future versions.

I would like to have the vulnerability explained so that
(1) I can assess the threat to non-production systems; and
(2) I can avoid making a similar vulnerability in my code.

Bill McCormick

unread,
Mar 10, 2004, 6:44:24 AM3/10/04
to x...@info2.kinich.com
All systems with these classes on them are vulnerable. The template
files are used by the studio to assist in creating new
pages/routines/classes. The problem is they can be used to open system
level files - allowing people to access cache.key, cache.dat etc.
Because they are prefixed with % it leaves the entire cache system
vulnerable, not just samples as noted in a previous alert. Deleting the
entire /dev directory removes all samples from the system - not a bad
thing on a production system.
--
Bill McCormick
Web/Objects Support Manager
InterSystems Corporation
bmc...@intersys.com

Reply all
Reply to author
Forward
0 new messages