COMMAND

    Interchange

SYSTEMS AFFECTED

    Interchange versions 4.5.3 through 4.6.3

PROBLEM

    Jon Jensen found following.  A serious security vulnerability  has
    been found  in the  default installation  of the  Interchange demo
    stores   'barry',   'basic',   and   'construct'   distributed  in
    Interchange versions 4.5.3 through 4.6.3.

    Using a group  login that had  no password set  by default, it  is
    possible to log  in to the  back-end administration area  and view
    and alter products, orders, and customer information.

    Jud Harris found this originally.

SOLUTION

    If you set up a store based on one of those demos and did not
    remove all default user and group accounts, you should
    immediately make the following change.

    In  all  installed  catalog  directories,  as  well as the catalog
    templates  in  the  Interchange   software  directory,  edit   the
    products/access.asc file, changing this line:

        :backup<tab><tab>Backup

    to look like this:

        :backup<tab>*<tab>Backup

    As with all other Interchange database source files, the placement
    of the  tabs is  significant.   You could  also simply delete that
    line altogether.  Make sure to restart Interchange so your  change
    takes effect.

    This problem has been fixed  in Interchange 4.6.4, to be  released
    shortly.   As  well  as  blocking  password  access on that group,
    there  are  now  also  tighter  checks  on  login attempts.  Group
    logins, user  names with  invalid characters,  and blank passwords
    will all be rejected without consulting the access database.